Authenticate with recovery code instead of using MFA for an application

Use recovery code as an alternative to MFA when second factor device is not available.

MFA or 2FA works when the user possesses the 2nd factor device like his laptop for email, duo authenticator; or a cell phone to receive the SMS. The work-around was to reset the password. Alternatively, the administrator can now validate the user with a valid identification, and then send a one-time recovery token from the directory. The recovery token can be configured for a day and expires after that period. If the administrator has enabled global MFA in the identity provider with the MFA factors, or enabled MFA in the application, or enabled MFA in the directory, then a recovery code can be generated and sent to the validated user belonging to the directory. With the recovery code the user can access the application. After the user gets this 2nd factor device like a laptop or cell phone, the admin can delete the recovery code if it is not expired. If the user does not use the recovery code before the expiration, the admin can re-generate another recovery code for the user.

STEP 1: Enable recovery code generation in the identity provider

The administrator can enable the generation of recovery codes for users in a directory associated with this identity provider using this procedure:

  1. Log in to the Enterprise Application Access (EAA) Management Portal.
  2. From the top menu bar, select Identity > Identity Providers.
  3. Click the Configure Identity Provider icon on the identity provider.
  4. Click the Multifactor tab.
  5. In General MFA Settings, select the Recovery code.
  6. To save the changes, click Save and exit or Save and go to Advanced Settings.
  7. For the changes to go into effect, Deploy the identity provider.

STEP 2: Copy or delete the recovery code for a user

You can generate the recovery code for the user by accessing the MFA enabled directory assigned to the user.

How to

  1. Validate the user by checking a valid form of authentication like employee ID number or any other document used by the organization.
  2. Log in to the Enterprise Application Access (EAA) Management Portal.
  3. From the top menu bar, select Identity > Directories.
  4. Locate the directory card that includes the user and click Users icon.
  5. Select the user you are generating the recovery code for.
  6. Click Actions > Generate Recovery Code for the user.
  7. Select the identity provider associated with the application.
  8. Set the expiration period and note the expiration time for the recovery token. The default expiration period is 24 hours. After the expiration period, the recovery token is automatically deleted.
  9. Copy or delete the recovery code.
    1. To copy the recovery code, click COPY.
    2. To delete a previously generated recovery code, click DELETE.
    Note: The recovery code has a default expiration period of a day (24 hours).
  10. Click OK.
  11. Provide the recovery code to the validated user.
    Note: You must validate the user with a valid form of authentication. Then generate the recovery code and provide to the user.

STEP 3: Use a recovery code to log into an application

After a user has obtained a recovery code as an alternative to multi-factor authentication from the administrator, the end user follows this procedure to log into the application.

  1. End-user logs into the application using their login credentials.
  2. A code is sent to the user’s email, if email has been set up as the MFA factor. A code is sent to user’s cell phone, if SMS has been set up as the MFA factor. He can enter this for the authentication code. If the user does not have the device, he can obtain recovery code using an alternative way by clicking, Click here:
  3. Click Contact Administrator as the authentication method for code recovery.
  4. End-user enters the recovery code they have received from the administrator of the organization and click VERIFY.
  5. End user logs into the application.