How to deactivate MFA (deactivate MFA in all services, delete tokens)
- Pavel Břoušek (Deactivated)
1 Preparation
Check for a problematic circumstance: absence of tokens and at the same time enabled MFA.
1.1 Detect token state
To verify that you have tokens, go to the Token Management System. If the list is empty, you have no tokens.
1.2 Detect the state in the profile
To verify that you have enabled MFA for at least one service, log in to the User profile and go to Authentication > Multi-factor authentication. If there is a green check box (with a check mark icon or a dash icon) next to Turn on multi-factor authentication for all service you have MFA enabled for at least one service.
1.3 Adding a token
If you do not have any enabled tokens but have enabled MFA for at least one service in your user profile, add a token and then continue. (This will work even if you do not have access to any of your tokens, as long as you do not have any enabled tokens.)
If you have enabled MFA for at least one service in your user profile and you have some enabled tokens but you cannot use them and you do not have your backup codes, you cannot continue and you need to perform MFA recovery instead.
Otherwise, continue to the next step.
2 Deactivate services
2.1 Open profile, uncheck the box
Go to the User profile, Authentication > Multi-factor authentication. At the bottom of the page, under the heading Multi-factor authentication, you will find a list of all services for which MFA is enabled. Click the green checkbox – Turn on multi-factor authentication for all services to deselect all services.
2.2 Save settings
Click on the Save settings button.
2.3 Confirm by signing in with MFA
You might have to confirm this action by signing in again with MFA for the last time.
From this point on, you will not have to use multi-factor authentication when accessing any service (only for those that enforce MFA themselves).
3 (Optional) Delete tokens
Optional - continue only if you want to lose access to services that require MFA.
3.1 Select token
Go to the Token Management System.
In the token list, click the serial number of the token you want to delete
3.2 Delete token
Click on the Delete button.
3.3 Repeat procedure
Repeat this procedure for all your tokens.
4 (Optional) Remove verification codes from an authenticator app
If you are confident that you have disabled MFA for all services and removed all MFA tokens by completing the previous steps, you may also remove the verification codes from your authenticator app.
The specific way of deleting a token will vary, but usually you need to tap the token you want to delete in the app, and the delete option should appear.
If you have no other verification codes in your authenticator app, you may also uninstall it.
5 (Optional) Remove security keys
For complete deactivation, e.g. if you want to give/return your device to someone, you need to remove security keys from all devices that have been registered as a security key. Beware that some security keys cannot be deleted (e.g. from a Yubikey 4) and in some cases, only a complete security key reset can be performed, which means that security keys for all sites will be removed (this concerns security keys without support for the new passkeys standard). The specific way of deleting a security key varies based on the type of device, operating system and web browser. Consult the maker of your device for specific instructions.
Below are instructions on how to delete some security keys:
Support: perun@cesnet.cz