We’ve migrated our documentation to a new site, which means some URLs have changed.
Subscriptions

How do I reset MFA for a Piano dashboard user?

What an MFA Reset Does (and Does Not Do)

An MFA (Multi-Factor Authentication) reset returns the user to a first-login MFA enrollment state.

What the reset does:

  • Clears the user's stored MFA secret (TOTP token) so the next login displays a new QR code.

  • Invalidates any previously generated authenticator codes and recovery codes.

  • Clears the "Remember this device for 30 days" trust state.

What the reset does not change:

  • The user's password; a password reset does not reset MFA.

  • The user's historical data, reporting, or ownership; as long as you reassign the same roles and permissions.

MFA is tied to the user's email address and cannot be "disabled" for an individual user, it can only be reset.

Before You Reset: Troubleshooting Invalid Codes

If the user's authenticator codes are being rejected, try the following before proceeding with a full reset:

  1. Confirm the phone's time is set to Automatic / Network-provided time (TOTP codes are time-sensitive).

  2. Have the user log out completely and log back in.

  3. Clear browser cookies and cache, or try a different browser.

  4. If available on the MFA prompt, click Authenticate Again.

  5. Ensure the user is logging into the correct Dashboard and environment (e.g., US vs. EU, Production vs. Sandbox).

If the issue persists after trying these steps, proceed with an MFA reset using one of the options below.

How to Reset MFA

Option A: Self-Service Reset in Team Manager (Recommended)

Use this option when you have permissions to manage team members and need to resolve the issue quickly.

  1. Sign in to the Piano Dashboard with an account that has Team Manager (user management) permissions.

  2. Navigate to Home → User Management → Team Manager.

  3. Search for the user by email address.

  4. Open the three-dot menu (⋮) and select Remove user.

  5. Immediately re-add the user using the same email address and reassign the required roles and permissions.

  6. Ask the user to log in again (typically via the invitation link). They will be prompted to:

    • Scan a new QR code with an authenticator app (e.g., Google Authenticator, Microsoft Authenticator).

    • Enter the 6-digit code from the authenticator app.

    • Save the new recovery codes.

Before scanning the new QR code, the user should delete the old "Piano" entry from their authenticator app to avoid confusion between old and new entries.

When Resending the Invitation May Be Sufficient

If the user never completed MFA enrollment, they may appear as inactive or not fully onboarded. In that case, resending the invitation may be sufficient, no reset is needed because enrollment was never completed.

Option B: Request a Reset from Piano Support

Use this option if you cannot perform the Team Manager flow or if self-service does not resolve the issue.

When contacting support, include the following information:

  • The affected user's email address.

  • A brief reason for audit logging (e.g., "lost phone", "changed authenticator", "employee turnover").

Processing time: Typically 1–3 business days after verification.

Typically no completion email is sent. Advise the user to try logging in again after the stated processing window.

What the User Will See After the Reset

On the next login after the reset, the user will:

  1. Enter their email and existing password.

  2. Enroll in MFA again by scanning the new QR code with their authenticator app.

  3. Enter the 6-digit code from the authenticator app to confirm enrollment.

  4. Download or copy the new recovery codes and store them securely.

Common Issues After a Reset

Issue

Solution

User still sees an old MFA prompt or it does not appear to be reset.

Clear browser cache and cookies and try again, or try a different browser.

Codes are still rejected after re-enrollment.

Re-check that the phone's time is set to Automatic / Network-provided time.

User cannot be removed from Team Manager.

The user may need to be removed from special assignments (e.g., Global Admin roles) before deletion is allowed.

User passes MFA but encounters an access or error screen.

Confirm the user is correctly added to the application and has the required roles, and permissions assigned in Team Manager.

Scope and Applicability

  • These instructions apply to Piano Dashboard team-member MFA using an authenticator app (TOTP).

  • This does not apply to end-user flows that use one-time email codes (e.g., "2-factor via email code" for consumer logins), which do not use an authenticator QR setup.

Last updated: