When Envato staff need to regain access to their Envato Account having lost access to their Two Factor Authentication (2FA) device, we need to verify their identity and get them access to their account swiftly so that they can continue with their work. The current way of contacting the Auth on-call person via Slack or email has not scaled as the company has grown. Going forward, the Customer Success team will verify our internal staff/contractors and reset 2FA.
Context
Many Envato services require users (such as administrators, developers and reviewers) to have 2FA enabled on their Envato account in order to be able to access privileged functions. As a result, anyone who has an @envato.com email address associated with their Envato account is likely to have 2FA enabled. Note - some contractors will have a personal email address associated with their account so it's important to use our verification procedures to identify them.
An account holder's second factor usually takes the form of the Google Authenticator app on their smartphone. There are folks who prefer other methods, including Authy (which allows for transferring seeds between devices) and password managers such as 1Password, which store the seeds alongside other credentials.
When an account holder loses access to their phone or gets a new handset and cannot transfer the 2FA seeds to their new device, they lose access to their Envato account.
To afford our account holders uninterrupted access to their account, we provide them with ten backup codes, which can be used in place of a time-based one-time password (TOTP) on setting up 2FA
We email new account holders to remind them to keep their backup codes safe for this eventuality.
Even with these automated processes in place, account holders still find themselves unable to authenticate when they lose access to their devices.
New Process for Verifying and Resetting 2FA for Internal Staff
Customer Success is already verifying account holders and resetting 2FA credentials for customers. These processes for two-factor authentication for customers can be applied to staff members. As the team is larger and spread across more time zones than the Auth team, we are better placed to support our staff members across multiple time zones. Note - when we refer to resetting 2FA, we are referring to disabling 2FA on a staff member's account so that they can log in and then enable 2FA.
Going forward, all Envato staff in need of a 2FA reset can contact the Customer Success team via #1800-customer-success in Slack. We will handle these requests as they come in and verify and reset 2FA for staff members (including contractors).
When we need to verify staff members/contractors, we can verify the staff member using their email address (the email address usually ends with @envato.com). If they are using a personal email address such as Gmail, please ensure that you ask for their billing address. If you're still unsure of their identity even though they have submitted their request via slack, please find their details via BambooHR and/or set up a quick video call via Google Meets to identify the individual.
Please ensure that you're completing the Reason field before hitting Disable Two Factor Authentication. Once you have completed the action, please respond to the staff member via a thread in the original post and let them know that 2FA has been disabled and they can now log in and enable it.
Additional Information
If you're reading this, it is likely that you have 2FA enabled on your Envato account. Do you know where your backup codes are? Today's a good day to head to https://account.envato.com/account/two_factor/backup_codes , take a copy of your backup codes and keep it secret, keep it safe.