|
|
|
|
|
|
by crote
1096 days ago
|
|
|
If it is just a regular rounds increase, why force an immediate re-auth on all users? It would be way more user-friendly to just wait 6 months or so for natural re-auths to occur, and only do a forced re-auth on the few remaining users afterwards. |
|
|
At some at the company I work for, we decided to changing hashing algorithms and we did it on the fly when user authenticated again. Users were happy, we were happy.
But as someone already said here, there's a high probability that the OTP seeds were stolen so that's why they are doing this forced reset for MFA re-enrollment.