This guide is for situations where a user is in an emergency situation and needs access to their account without using MFA/2SV temporarily.
First you should make sure the request is actually from the user it appears to be.
If the request to reset MFA is from an email (work or personal) or a phone call from someone you don’t know well enough to recognise their voice, you should first take a minute to check that the request is legitimate.
Do this by giving them a call or sending them a secure text message (e.g. Slack, Teams, Telegram, or Signal) using a number you got from the company directory or phonebook (or in a pinch from another colleague).
A simple: “Hi, this is IT - just double checking you requested an MFA reset” and confirmation from them will do the job.
Need more information? See our article on verifying user requests.
Find the user requesting support and add them to the Emergency 2SV Disabled group you created earlier.
If you have not yet created this group, follow Google's documentation to create an exemption group.
Once the user is added to the exemption group, you can disable their MFA, but opening the Security panel on their profile, and updating the 2-step verification setting like this:
Set a reminder to remove the user from the exemption group in the near future. This could be opening a support ticket if you have a ticketing system, or setting a task on a calendar.