When a user can’t sign in, they can submit an assistance request from the sign-in page. The platform emails administrators with the details they need to verify the user’s identity and restore access.
Overview
Account Access Assistance handles four common situations:
- Lost 2FA device or backup codes - the user can’t complete two-factor authentication.
- Forgotten password - the user doesn’t know their password and can’t reset it themselves.
- Account locked out - the account has been locked due to too many failed attempts.
- Other access issues - any other problem preventing sign-in.
The process is deliberately simple for the user. They enter their email address, choose the type of problem and submit the request. The platform handles the rest behind the scenes.
How Requests Arrive
When a user submits an assistance request, the platform emails all administrators who have the required Data Protection Access permissions. The email contains a reference ID and everything the administrator needs to assess the situation before taking action.
Not every administrator receives these emails. Only users with Data Protection Access permission (at the required level) and an active account with a valid email address will be notified.
What the Email Contains
Each assistance request email includes several sections to help you make an informed decision.
Request Details
- Reference ID - a unique identifier for tracking and audit purposes.
- Submitted email - what the user entered on the form.
- Resolved account - the user account the platform matched, if found.
- Request type - which issue the user selected (lost 2FA, forgotten password, locked out, or other).
- Date and time - when the request was submitted.
Account Status
If the platform can match the request to an existing user, the email includes:
- Whether the account exists and is active.
- Whether two-factor authentication is enabled.
- How many unused backup codes are available.
This helps you understand the account’s current state before deciding what action to take.
Recent Security Events
The email summarises recent security activity on the account:
- Last successful sign-in (date and time).
- Recent sign-in locations and networks.
- Recent failed sign-in attempts.
- When access emails or recovery codes were last sent.
- When 2FA or backup codes were last changed.
Review these events for anything unusual. A sudden change in sign-in location or a string of failed attempts from an unfamiliar network could indicate someone other than the genuine user is trying to gain access.
Request Context
The email includes details about where the request came from:
- IP address and approximate location (city and country).
- Network information.
- Whether this IP or network has been used for successful sign-ins before.
If the request comes from a location or network the user has never used before, take extra care with identity verification.
Verifying Identity
Before taking any action, confirm you’re dealing with the genuine user. The platform deliberately doesn’t prescribe how to do this, as every organisation has its own procedures for verifying identity.
Common approaches include:
- Calling the user on a known phone number.
- Asking security questions agreed during onboarding.
- Confirming with their line manager.
- Verifying details that only the real user would know.
The reference ID in the email helps you match the request to any follow-up conversation with the user.
Important: Never take recovery action based solely on the assistance request email. Always verify through a separate channel first.
Resolving the Request
Once you’ve verified the user’s identity, go to Settings > Users, find their account and use the appropriate action from the Actions menu.
Send Access Email
Sends an email to the user’s registered address with their sign-in details and a password reset link.
When to use: Forgotten passwords or general access issues where the user just needs to reset their credentials.
What you need:
- On Behalf Of (optional) - select the user who asked for help, if different from who you’re acting as.
- Reason - choose from the predefined reason list.
- Details (optional) - any extra context about why you’re sending this.
What happens:
- The user receives an email with a link to set a new password.
- The action is recorded in the user’s activity log with the reason you provided.
Permission needed: Data Protection Access at the required level.
Send Recovery Code Email
Generates a single-use recovery code and emails it to the user. The code lets them reset their password or remove their 2FA device.
When to use: The user has lost access to their authenticator app and has no backup codes remaining. This is the only way to reset 2FA remotely.
What you need:
- On Behalf Of (optional) - select the user who asked for help.
- Reason (required) - you must select a reason for audit purposes.
- Details (optional) - extra context about the recovery.
What happens:
- The platform generates a unique recovery code.
- The code is emailed to the user’s registered email address.
- The code is valid for one hour and can only be used once.
- After using the code, the user can set a new password and re-enrol for 2FA.
- The action is recorded in the activity log.
Permissions needed: Expert Mode and Data Protection Access at the required level. The higher permission bar exists because this action bypasses two-factor authentication.
Important: Only issue recovery codes after thorough identity verification. A recovery code effectively removes 2FA protection, so treat this as a sensitive operation.
Security Notes
Rate Limiting
The platform limits how often assistance requests can be submitted. This prevents automated abuse of the request system.
No User Enumeration
The assistance request form gives the same response whether or not the submitted email matches an existing account. This prevents anyone from using the form to discover valid accounts.
Audit Trail
Every assistance request and every administrative action taken in response is logged. The platform records:
- When the request was submitted and from where.
- Which administrators were notified.
- What actions were taken and by whom.
- The reason given for each action.
This provides a complete audit trail for compliance and security reviews.