Authenticate with recovery code instead of using MFA for an application

Use recovery code an an alternative to MFA when the second factor device is not available. MFA or 2FA works when the user possesses the second factor device like laptop for email, duo authenticator; or a cell phone to receive the SMS. If a user forgets the device, you can validate the user with a valid identification, and then provide a recovery token that can be used to log in to the application. The recovery token expires within 24 hours. If you enable global MFA in the identity provider with the MFA factors, or enable MFA in the application, or enable MFA in the directory, a recovery code can be generated and provided to the validated user from the directory. With the recovery code the user can access the application. After the user gets this second factor device like a laptop or cell phone, the admin can delete the recovery code if it is not expired. If the user does not use the recovery code before the expiration, the admin can generate another recovery code for the user.

Enable recovery code generation in the identity provider

Enable the generation of recovery codes for users in a directory associated with this identity provider (IdP).

Log in to EAA Management Portal.
In the EAA Management Portal navigation menu, select Identity > Identity providers.
On the identity provider card, click Configure Identity Provider, and select MULTIFACTOR.
In General MFA Settings select Recovery code.
Click Save and exit or Save and go to Advanced Settings.
Deploy the identity provider.

Next, copy or delete the recovery code for a user.

Copy or delete the recovery code for a user

Access the MFA enabled directory assigned to the user to generate the recovery code for the user.

To validate the user check a valid form of authentication like employee ID number or any other document used by the organization.
Log in to EAA Management Portal.
In the EAA Management Portal navigation menu, select Identity > Directories.
On the directory card that includes the user for whom you want to generate a recovery code, click Users.
Select the user for whom you want to generate a recovery code.
Select Actions > Generate Recovery Code.
Select the identity provider associated with the application.
Set the expiration period and note the expiration time for the recovery token. The default expiration period is 24 hours. After the expiration period, the recovery token is automatically deleted.
Copy or delete the recovery code.
1. To copy the recovery code, click COPY.
2. To delete a previously generated recovery code, click DELETE.
Click OK.
Provide the recovery code to the validated user.

Next, use a recovery code to log into an application.

Use a recovery code to log into an application

When a user gets a recovery code as an alternative to MFA from the administrator, they should follow the below procedure to log into the application.

Log in with your credentials.
Enter the authentication code you receive.
A code is sent to the user's email, if email has been set up as the MFA factor. A code is sent to user's cell phone, if SMS has been set up as the MFA factor.
If you do not have any authentication device, to get a recovery code use Click here option. Click Contact Administrator.
Enter the recovery code and click VERIFY.
User logs into the application.

Akamai MFA two-factor authentication

Enterprise Application Access (EAA) allows you to use Akamai MFA as a second-factor authentication (2FA) for an Akamai identity provider (IdP). With both Enterprise Application Access and Akamai MFA on the same contract, the users from all of EAA directories may be provisioned into Akamai MFA. This action is executed from the Akamai MFA service.

Integrate Akamai MFA with EAA

Prerequisite:
Enterprise Application Access ( EAA) and Akamai MFA must be available in the same contract.

Generate your integration credentials in Akamai MFA.
Configure Akamai MFA as a 2FA in Enterprise Application Access Akamai identity provider.
Log in to EAA Management Portal.
In the EAA Management Portal navigation menu, select Identity > Identity providers.
Select your identity provider. Check if added the directory with your users to this identity provider.
On your identity provider card, click Configure Identity Provider, and select MULTIFACTOR.
Enable IdP MFA policy.
Select Akamai MFA as one of the MFA Factors.
Paste the integration credentials: Integration ID, Signing Key, and API Host.
Select Akamai MFA UserID attribute.
It determines the attribute that is sent as the username in Akamai MFA. Choose one of the following:
- Email
- SAM account name
- User Principal Name (UPN)
- Domain/SAM account name
This attribute must be the same as the Login Preference in the directory with your users associated with the identity provider. Otherwise you get an error Your MFA configuration has failed. when you login to access the application.
Click Save and exit.
Deploy the identity provider.
Assign the identity provider to one or more EAA applications.

📘
The identity provider must be assigned to at least one EAA application for Akamai MFA to be used.
Deploy the application.
Log in to the application through a web browser.
Enter your first factor authentication like username, password or select the certificate.
New users are redirected for PushMFA registration.
Self-enroll in Akamai MFA. Install Akamai MFA mobile app on google android or iPhone and choose in-line enrollment for your smartphone, phone, iPad or tablet.
The user is redirected to the application to access the resource.

Limitations of Akamai MFA

Akamai MFA cannot be used with other MFA factors for an identity provider.
User enrollment cannot be changed in Enterprise Application Access. It is managed by Enterprise Center and can be reset in Enterprise Center.
Akamai MFA is set up per user so you don't need to re-enroll the user on other identity providers or apps. Enrollment stays even if a user is deleted and added back in Enterprise Application Access.

Duo Security two-factor authentication

Duo Security is a multifactor authentication (MFA) provider that confirms the identity of users and the health of their devices before the user connects to your applications. Duo supports push notifications, TOTP (time-based one-time password), SMS (text message), voice calls, and emails as second factor authentication (2FA) features as a service.

Enterprise Application Access (EAA) provides remote access and MFA for on premise applications and also integrates with Duo’s 2FA services. If you use Duo as a 2FA solution for access to your applications, you simply need to provide some Duo-specific information in Enterprise Application Access to allow the products to communicate and verify identity and access privileges.

Within the Duo application, a Duo administrator can generate a unique set of configuration parameters that the applications use to authenticate 2FA. These configuration parameters are then entered into the Enterprise Application Access corresponding MFA fields. The configuration parameters are the following:

Integration key or ikey. A unique identifier that allows you to retrieve users' API keys based on email and password.
Secret key or skey. A unique identifier used for encryption of data.
API hostname. Your API hostname used for all API interactions with Duo. For example, api-XXXXXXXX.duosecurity.com.

The ikey and skey uniquely identify a specific application to Duo. API hostname is unique to your account, but shared by all of your applications.

Duo UserID attribute. When selected in Enterprise Application Access determines how the usernames listed in Duo appear. Choose one of the following:
Email
sAMAaccountName
User Principal Name (UPN)
Domain/sAMAaccountName

When you use the Enterprise Application Access Cloud directory or Open LDAP to authenticate users in the Login Portal, Enterprise Application Access supports only email as the Duo UserID attribute.
When you use the Active Directory (AD) to authenticate users in the Login Portal, Enterprise Application Access supports all Duo UserID attributes.
All communication between EAA Login Portal and Duo is secured with TLS. Enterprise Application Access validates the server certificate before sending any information or data to the Duo service.

Integrate Duo MFA with EAA

To configure Duo Security two-factor authentication (2FA) in Enterprise Application Access (EAA) you need to set up and admin account in Duo and retrieve some key information to use it in configuration of Duo MFA in Enterprise Application Access.

To get more information about Duo 2FA, visit Duo web help.

Create Duo admin account and retrieve some key information.
1. Create a Duo admin account.
2. Follow the on-screen prompts to activate Duo Mobile.
3. Go to the Duo Applications page.
4. Locate the respective Duo application to protect and select.
5. To generate the Integration key, Secret key, and API hostname, click Protect an Application.

Next, configure Duo MFA in EAA Management Portal. You can add Duo multi-factor authentication (MFA) to any EAA IdP you have configured. Duo MFA is configured similar to, and works alongside, other EAA MFA options.

Log in to EAA Management Portal.
In the EAA Management Portal navigation menu, select Identity > Identity providers.
Select your identity provider (IdP) you wish to configure or Add a new identity provider.
On your identity provider card, click Settings, and select MULTIFACTOR.
Enable IdP MFA Policy. It's an optional step to enable a global MFA policy.
Select MFA factors to apply.
Select Duo.
The Duo configuration parameters appear.
Enter Integration key, Secret key, and API hostname from previous steps.
Select one Duo UserID attribute.
Click Save and exit or Save and go to Advanced Settings.
Deploy the identity provider.