Access Server: How to reset TOTP MFA to enroll with a new QR code

Description: Your customers may encounter some situations where they need to reset TOTP MFA and enroll with a new QR code to connect to the VPN such as:

• An end user changes their phone.
• An end user loses their phone.
• An end user's phone is stolen.

Follow the steps below to reset a user's TOTP MFA. After resetting, they can enroll with a new QR code from the Client Web UI.

Tip: If you have Access Server version 3.0.0 or newer, you can reset TOTP MFA from the Admin Web UI. If you're using an older version, you must connect to the command-line interface (CLI) to reset a user's TOTP MFA. The Access Server administrator must connect directly to the console with root permissions ("sudo su").

Reset a user's TOTP MFA code from the Admin Web UI

For Access Server 3.0.0 and newer:

1. Sign in to the Admin Web UI.
2. Click Users.
3. Click the user you want to reset the TOTP MFA for. For example: "brandonqa".
   
4. On the right panel, click Reset MFA.
   
5. Click Confirm.
   
6. The user's TOTP MFA is reset.
7. Instruct the user to access the Client Web UI (CWS) and enroll again using a new TOTP MFA QR code provided there.

Reset a user's TOTP MFA code from the CLI

1. Connect to the Access Server console and get root permissions.
2. Based on your Access Server version, run the following commands:
   • • For Access Server 2.11 and newer:
       

       sudo su
       cd /usr/local/openvpn_as/scripts/
       ./sacli --user <USER> --lock 0 TotpRegen
       ./sacli start

     • For older Access Server versions:
       

       sudo su
       cd /usr/local/openvpn_as/scripts/
       ./sacli --user <USER> --lock 0 GoogleAuthRegen
       ./sacli start

3. Instruct the user to access the Client Web UI (CWS) and enroll again using a new TOTP MFA QR code provided there.

For more info, refer to Command line configuration parameters on our TOTP MFA documentation page.

If you have additional questions, please submit a ticket.