MFA broken after clone down

Tim Grindlay · ‎09-05-2022

Our Development and UAT environments require local login with MFA. We have a clone preserver setup for the user_multifactor_auth table and during our last upgrade to San Diego we cloned our DEV and UAT environments.

Post clone, we could log into the instances with our pre-clone DEV and UAT MFA codes from our authenticator apps fine. For an unrelated reason we needed to clone our UAT environment again (several update sets committed in error) and after this second clone (a few days after the initial clone) no-one was able to login using their MFA codes and we were effectively locked out of the instance.

Luckily we had a clean up script that re-enables our email, and sends them to a shared email account so we were able to get a temporary MFA code (For accounts that had an email, because you don't get that option if your account doesn't have one!)

While troubleshooting we discovered that clicking the 'Receive a code via email' link, brings the old codes back to life. You don't have to use the code that was sent to the email. I also have a suspicion that an account that is locked out and then unlocked also brings them back, but I haven't thoroughly tested this as once the codes are working I have to find another user that had pre-clone MFA codes setup to test with.

I raised a case with the now Support but got nowhere. They suggested re-cloning, resetting the 'Enable multi-factor authentication' flag on the user profile or using the 'Receive a code via email' link, but these are all workarounds. Posting to see if anyone else has come across this.

Charlotte Pakes · ‎12-12-2022

Hi Tim,

An update for you. We deleted the additional out of the box Exclude Tables and Preserve Data records for user_multifactor_auth that had been added recently. We cloned today and MFA is working straight after the clone. I am going to update our Case with ServiceNow, but might be worth giving it a try? Will let you know if we get any official confirmation.

Thanks,

Charlotte

View solution in original post

Luke43 · ‎01-27-2023

We have excludes and preservers for user_multifactor_auth and despite that I did attempt MFA code for prod and sub prod. All to no success.

Tim Grindlay · ‎04-23-2023

We've had three successful clones over the last few days, so I'm resolving this as being caused by the additional preserver that was added.

Slava Savitsky · ‎07-05-2023

@Tim Grindlay @Charlotte Pakes

Is it correct to assume that excluding and preserving the [user_multifactor_auth] table only helps if you also preserve the users in the target instance? But what if you want to run a full clone, including the user records. How would you avoid being locked out from the target instance after the clone in this scenario?

Blog: https://sys.properties | Telegram: https://t.me/sys_properties | LinkedIn: https://www.linkedin.com/in/slava-savitsky/

Tim Grindlay · ‎07-16-2023

In a full clone including user records you wouldn't preserve the user_multifactor_auth table and your credentials and password and MFA codes would match production. Theoretically excluding and preserving the user_multifactor_auth table and preserving the user table would mean you'd end up with the production passwords but the MFA codes for the target instance, but I doubt if that would actually work.

George23 · ‎06-09-2023

This video shows you how to reset MFA after creating a clone.