Here’s my use case: User from an organisation logs into the system by entering the password and then entering the 2FA code from the authenticator app. He needs to reset his MFA after losing his device. Is there any way the organisation admin can prompt the user to reset his MFA via an action? What’s the best way to go about this with existing Bubble actions?
bubble doesn’t really give you a direct “admin forces user to reset mfa” button. the usual way to handle it is kinda simple tho. you just add something like a “mfa_reset_needed” field on the user, and when the admin sets that to yes, the next time that user logs in you check that field and push them straight into the mfa setup flow again instead of letting them into the app.
it ends up working pretty much the same as an admin-triggered reset in other systems. it’s just bubble doesn’t do it automatically, so you kinda have to fake it with your own logic.
if you want i can show you exactly how the login workflow should look so the user can’t skip it
Thanks a lot.
So when the user goes through the same flow again, will it override his/her existing mfa codes/settings?
yeah it wipes the old one completely. once they go through the setup flow again, bubble generates a fresh secret and the old codes stop working right away. it doesn’t stack or merge anything the new setup just becomes the only valid mfa for that user.
So, I just realized that in order to trigger the set MFA flow I need to be logged in. But once I place the log in workflow, Bubble automatically detects that it’s MFA is set and it routes it to verification page. Do you have any suggestion on how I can break this default flow so I can trigger the MFA flow based on my condition? (if mfa_reset=true)
hmm yeah that happens a lot with bubble’s default mfa flow… once the user logs in, bubble thinks “oh this account already has mfa set”, so it pushes them straight to the verification step. it doesn’t really care about your custom logic.
the only real way to break that autopilot is to avoid letting bubble run the native login action first. instead, you kinda “fake-log them in” with a temporary state or a custom page, check your mfa reset=yes, and only then send them into the mfa setup flow.
Right. That sounds tricky and complicated. Let’s say we dump the entire admin-resetting-the-mfa flow and instead do something with the backup code generated for the user when he set it the first time. Do you know how I can use the backup code to allow user access to his/her account so they can reset the mfa themselves after logging in into the system?
yeah, using the backup code is honestly the easiest way to handle this. once mfa is set, bubble won’t let you force the user back into the setup flow unless they’re already logged in, so any admin reset workaround will keep getting blocked.
the backup code gets around that because bubble treats it like a master key. the user logs in with their password and the backup code, bubble unlocks the account, and then they can go straight to the mfa setup page again. bubble doesn’t block that flow at all.
so the admin just provides the backup code, the user logs in with it, and then they reset mfa themselves. that’s basically the intended way to handle a lost device in bubble, so it’ll work reliably.
1 Like
Got it. Is there any action that validates the backup code and allows user to proceed to next step? I am struggling to find any action linked to it.
Hey! Just to clarify, you don’t need a separate action to validate backup codes in Bubble. When a user enters a backup code during the login/MFA step, Bubble automatically checks it. If the code is valid, the user proceeds just like they completed MFA normally. There’s no manual action needed for this.
You could technically set up your own custom check if you wanted full control, but for most apps, Bubble’s built-in system handles it cleanly and reliably. Your users will be able to use backup codes without any issues, and this approach is fully supported by Bubble’s workflow.
1 Like
I just verified and yes this works!
Many thanks for your help.
1 Like
No problem 