Gatera
Start free trial
All articles

February 25, 2026

MFA Offboarding: The Complete Checklist for When Employees Leave

Employee offboarding is one of the most dangerous moments in your authentication lifecycle. Here's a complete checklist to make sure no OTP access slips through.

Employee offboarding is one of the highest-risk events in an organization's security lifecycle. In the rush to handle logistics — collecting equipment, revoking email access, processing final pay — authentication codes often get overlooked.

Unlike passwords (which can be reset) or SSH keys (which can be deleted), OTP secrets stored on personal phones can't be remotely revoked. If a departing employee's phone holds your team's shared MFA codes, those codes remain active indefinitely.

This checklist helps IT teams handle MFA offboarding completely and consistently.

Why MFA Offboarding Is Different

Password and access revocation are well-understood problems. Most organizations have processes for:

  • Disabling Active Directory / Azure AD accounts
  • Revoking email access
  • Removing VPN credentials
  • Recovering company hardware

MFA is different because the secret may live on a personal device that you don't control. You can disable an account, but if the underlying OTP secret hasn't been regenerated, the departing employee can still generate valid codes — which matters if they ever regain account access through another vector.

The Core Question: Where Do Your MFA Codes Live?

Before working through the checklist, answer this question honestly: where are your team's shared MFA codes stored?

  • Personal phones: highest risk. Codes leave with the employee. Must regenerate all shared codes they had access to.
  • Shared password manager vault: medium risk. Access should be revoked at vault level. Regenerate if vault was compromised.
  • Dedicated team MFA vault (e.g., Gatera): lowest risk. Access is revoked instantly without rotating any codes.

The offboarding effort required is dramatically different depending on which scenario you're in.

The Complete MFA Offboarding Checklist

Phase 1: Before the employee's last day

  • [ ] Identify all accounts the employee had MFA access to. This includes accounts where they may have personally enrolled a TOTP secret on their phone, not just accounts you explicitly granted.
  • [ ] Determine if they held any "owner" MFA codes. Some accounts may have been enrolled under their personal authenticator app by default.
  • [ ] List all shared credentials they had access to through team vaults or shared accounts.
  • [ ] Check if they're the only person with access to any critical code. If so, re-enroll before their last day, not after.

Phase 2: On the last day

  • [ ] Revoke vault access if using a team MFA vault. This is immediate and covers all codes in the vault at once.
  • [ ] Remove them from all shared password managers (1Password, Bitwarden, etc.).
  • [ ] Disable their SSO/IdP account (Azure AD, Okta, Google Workspace). This prevents login even if codes are retained.
  • [ ] Revoke their personal API keys and access tokens across all platforms.
  • [ ] Remove them from any shared authenticator app accounts (e.g., shared Authy account).

Phase 3: Within 48 hours of departure

  • [ ] Audit any account where they personally enrolled TOTP on their phone. Regenerate MFA enrollment for each.
  • [ ] Check cloud providers: AWS IAM, GCP, Azure — regenerate MFA for any shared accounts they touched.
  • [ ] Check DNS/CDN platforms: Cloudflare, Route 53 — same process.
  • [ ] Check version control: GitHub, GitLab organizations.
  • [ ] Check payment processors: Stripe, PayPal, any billing platforms.
  • [ ] Check domain registrars and SSL management tools.
  • [ ] Check your MSP tooling if applicable: RMM, PSA, remote access tools.
  • [ ] Verify their personal email is removed from account recovery options.

Phase 4: Documentation

  • [ ] Document which accounts were audited and which required code regeneration.
  • [ ] Note the date and time of each revocation for audit trail purposes.
  • [ ] Update your credential inventory to reflect the departing employee is removed.
  • [ ] Brief remaining team members on any credentials that were regenerated.

Streamlining Offboarding with a Team MFA Vault

The checklist above is comprehensive — but it's also extensive. The length of the process reflects what happens when MFA is managed informally across personal devices and shared apps.

If your organization uses a dedicated team MFA vault:

  1. Revoke vault access — takes 30 seconds. The departing employee immediately loses access to every code in the vault.
  2. Done. No code rotation required. No manual auditing of which accounts they had access to.

The vault's audit log shows exactly which codes they accessed and when, which gives you a clean record of their activity and confidence that revocation was complete.

This is why organizations that take security seriously invest in proper MFA management infrastructure before offboarding becomes a crisis.

Handling the Difficult Scenarios

"They were the only one with access to a critical code"

This is a business continuity failure, not just a security issue. The fix is immediate: before their last day, re-enroll the relevant codes into a team vault and verify access for at least one other team member.

Never let a single person be the sole holder of a critical authentication code.

"They won't cooperate during offboarding"

If you can't recover the OTP secret from their device, your only option is to regenerate MFA enrollment at each affected service. Work through the list in Phase 3 methodically.

For critical production systems, do this immediately — don't wait to see if they cooperate.

"We're not sure which accounts they had"

This is a sign of a credential inventory gap. As a remediation step, audit your entire credential inventory and establish a formal process for tracking who has access to what.

Going forward, a team vault with audit logs solves this prospectively: you have a complete record of which codes each user accessed.

Conclusion

MFA offboarding is often overlooked because it's not obvious and it's not automated. But it's genuinely important — a departing employee with retained OTP access is a persistent, unresolvable authentication risk until each code is regenerated.

The right long-term solution is infrastructure: a team MFA vault where access is centralized, controlled, and revocable in seconds. The offboarding checklist above is the short-term fix for organizations that aren't there yet.

Start using Gatera → and make MFA offboarding a 30-second task.

Ready to secure your team's MFA codes?

Gatera centralizes all your OTP codes in an encrypted vault. No more personal phones, no more chaos.

Start your 14-day free trial