In alignment with the recent F5 Security Promise, I want to highlight a gap in our process/system to authenticate customers calling the support line. Currently, the implemented process, requires customers to provide their tenant name, after which the call is transferred to an engineer. However, this process carries a risk of potential breaches, as tenant names could be exposed either unintentionally or intentionally.

Additionally, we have encountered situations where the tenant owner is locked out and cannot access the console to unlock their account because they are the sole user for that tenant. In both cases, there is a risk of identity impersonation by someone else.

To mitigate these risks, we propose implementing a 2FA system for customers. On the global support side (big ip), a similar setup exists, where a code is sent to the customer via the console or email, and the customer must provide that code to TSC or support to authenticate their identity. This approach significantly reduces the risk of impersonation.

Could we explore the possibility of implementing a similar 2FA system for our customers to enhance security?