Authenticate with recovery code instead of using MFA for an application
Use recovery code as an alternative to MFA when second factor device is not available.
MFA or 2FA works when the user possesses the 2nd factor device like his laptop for email, duo authenticator; or a cell phone to receive the SMS. The work-around was to reset the password. Alternatively, the administrator can now validate the user with a valid identification, and then send a one-time recovery token from the directory. The recovery token can be configured for a day and expires after that period. If the administrator has enabled global MFA in the identity provider with the MFA factors, or enabled MFA in the application, or enabled MFA in the directory, then a recovery code can be generated and sent to the validated user belonging to the directory. With the recovery code the user can access the application. After the user gets this 2nd factor device like a laptop or cell phone, the admin can delete the recovery code if it is not expired. If the user does not use the recovery code before the expiration, the admin can re-generate another recovery code for the user.
STEP 1: Enable recovery code generation in the identity provider
- Log in to the Enterprise Application Access (EAA) Management Portal.
- From the top menu bar, select .
- Click the Configure Identity Provider icon on the identity provider.
- Click the Multifactor tab.
- In General MFA Settings, select the Recovery code.
- To save the changes, click Save and exit or Save and go to Advanced Settings.
- For the changes to go into effect, Deploy the identity provider.