How to deactivate MFA (deactivate MFA in all services, delete tokens)

1 Preparation

Check for a problematic circumstance: absence of tokens and at the same time enabled MFA.

1.1 Detect token state

To verify that you have tokens, go to the Token Management System. If the list is empty, you have no tokens.

1.2 Detect the state in the profile

To verify that you have enabled MFA for at least one service, log in to the User profile and go to Authentication > Multi-factor authentication. If there is a green check box (with a check mark icon or a dash icon) next to Turn on multi-factor authentication for all service you have MFA enabled for at least one service.

1.3 Adding a token

If you do not have any enabled tokens but have enabled MFA for at least one service in your user profile, add a token and then continue. (This will work even if you do not have access to any of your tokens, as long as you do not have any enabled tokens.)

If you have enabled MFA for at least one service in your user profile and you have some enabled tokens but you cannot use them and you do not have your backup codes, you cannot continue and you need to perform MFA recovery instead.

Otherwise, continue to the next step.

2 Deactivate services

2.1 Open profile, uncheck the box

Go to the User profile, Authentication > Multi-factor authentication. At the bottom of the page, under the heading Multi-factor authentication, you will find a list of all services for which MFA is enabled. Click the green checkbox – Turn on multi-factor authentication for all services to deselect all services.

2.2 Save settings

Click on the Save settings button.

2.3 Confirm by signing in with MFA

You might have to confirm this action by signing in again with MFA for the last time.

From this point on, you will not have to use multi-factor authentication when accessing any service (only for those that enforce MFA themselves).

3 (Optional) Delete tokens

Optional - continue only if you want to lose access to services that require MFA.

3.1 Select token

Go to the Token Management System.
In the token list, click the serial number of the token you want to delete

3.2 Delete token

Click on the Delete button.

3.3 Repeat procedure

Repeat this procedure for all your tokens.

4 (Optional) Remove verification codes from an authenticator app

If you are confident that you have disabled MFA for all services and removed all MFA tokens by completing the previous steps, you may also remove the verification codes from your authenticator app.

The specific way of deleting a token will vary, but usually you need to tap the token you want to delete in the app, and the delete option should appear.

If you have no other verification codes in your authenticator app, you may also uninstall it.

5 (Optional) Remove security keys

For complete deactivation, e.g. if you want to give/return your device to someone, you need to remove security keys from all devices that have been registered as a security key. Beware that some security keys cannot be deleted (e.g. from a Yubikey 4) and in some cases, only a complete security key reset can be performed, which means that security keys for all sites will be removed (this concerns security keys without support for the new passkeys standard). The specific way of deleting a security key varies based on the type of device, operating system and web browser. Consult the maker of your device for specific instructions.

Below are instructions on how to delete some security keys:

https://support.google.com/chrome/answer/13168025?hl=en&co=GENIE.Platform=Android#zippy=%2Cmanage-passkeys

If you have a passkey-compatible device (with support for discoverable credentials aka resident keys), it is possible to delete entries one by one.

To do this, you may use security keys management in Google Chrome: https://docs.yubico.com/hardware/yubikey/yk-bio/tech-manual/chrome.html (should work for any FIDO2 security key).

Alternatively, the removal of entries from a physical security key can be done in the key management tool provided by the key maker. Here are instructions for some of them:

In case you have an older security key (without resident key support), it is not possible to delete entries one by one, only to use the "factory reset" option and thus delete the entire security key, which means losing access to all websites.
Note that some key fobs do not have a factory reset option and entries cannot be deleted. It is always necessary to check the options for the specific physical security key of the specific manufacturer.

 

 

 

Support: perun@cesnet.cz