TJ Hoag
Back to Blog
Troubleshooting Tales 4 min read

The MFA Chicken-and-Egg Problem: When You Need the Network to Get the Network

TJ
Timothy J. Hoag
IAM & IT Operations Specialist

She needed to reset her password. Standard request.

The reset required Microsoft Authenticator. Authenticator needed a push notification. The push needed internet. The campus Wi-Fi needed MFA to connect.

New phone. No mobile data. No way in.

I have seen this a handful of times now, and it always plays out the same way. The user is completely stuck. There is no self-service path out of it. They cannot set up Authenticator because they cannot get online, and they cannot get online because they have not set up Authenticator.

How the loop closes

Push notifications need internet. Campus Wi-Fi needs MFA. On a new phone with no mobile data, those two requirements point at each other and neither one budges.

It almost always starts the same way: someone gets a new phone, sells or wipes the old one, and does not think about Authenticator until they are already on campus trying to log in. The reset flow sends a push to a device that no longer exists. The campus network will not let them online without MFA. Dead end.

How I handled it

There is nothing the user can do here on their own. Someone with backend access has to break the loop.

The path I have seen work:

  1. Verify the user's identity through whatever the institution allows -- student ID, security questions, callback to a number on file
  2. Issue a temporary access pass in Entra ID, or have the backend team generate a time-limited bypass code
  3. Get the user online long enough to set up Authenticator on the new device
  4. Remove the bypass once enrollment is confirmed

In this case, I did not have the access level to issue the bypass directly, so I escalated to a backend team for the unlock. The important part was recognizing the loop for what it was instead of treating it like a standard password reset and sending the user in circles.

Why this keeps happening

Push-based MFA is the right default. It is more secure than SMS, harder to phish, and easier for users day-to-day. But the whole thing assumes the user always has a working device that can receive the push.

In higher ed, that assumption breaks regularly. Students swap phones constantly. They activate new ones before setting up mobile data. They show up on campus with a fresh device and no way to connect to anything.

Nobody plans for the gap between "I got a new phone" and "I set up all my authentication apps." It just falls through.

What would actually fix this

The technical tools exist. Entra ID has temporary access passes. Okta has bypass codes. The problem is usually that nobody has written down when to use them, or front-line agents do not know the option exists.

A few things that would help:

  • A documented process specifically for device-change lockouts, separate from standard MFA resets
  • Front-line agents trained to recognize the loop instead of re-running the standard reset flow
  • Something in the student onboarding materials that says "set up Authenticator on your new phone before you get rid of the old one"

That last one sounds obvious, but I have never seen an institution actually include it in their device guidance. The ones that do would probably cut these tickets in half.

MFA Microsoft Authenticator Higher Ed IT IAM Troubleshooting
Opportunities
Open to Remote Roles

IAM Analyst, Junior Systems Administrator, or IT Operations Analyst - ideally in healthcare or higher education. Direct hire, W-2.

Discuss opportunities