Authenticate with recovery code instead of using MFA for an application

Use recovery code an an alternative to MFA when the second factor device is not available. MFA or 2FA works when the user possesses the second factor device like laptop for email, duo authenticator; or a cell phone to receive the SMS. If a user forgets the device, you can validate the user with a valid identification, and then provide a recovery token that can be used to log in to the application. The recovery token expires within 24 hours. If you enable global MFA in the identity provider with the MFA factors, or enable MFA in the application, or enable MFA in the directory, a recovery code can be generated and provided to the validated user from the directory. With the recovery code the user can access the application. After the user gets this second factor device like a laptop or cell phone, the admin can delete the recovery code if it is not expired. If the user does not use the recovery code before the expiration, the admin can generate another recovery code for the user.

Enable recovery code generation in the identity provider

Enable the generation of recovery codes for users in a directory associated with this identity provider (IdP).

1. Log in to Enterprise Center.

2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.

3. Select identity provider to open it.

4. In MFA select Recovery code.

5. Click Save.

6. Deploy the identity provider.
   With recovery code configured on the identity provider (IdP) level, you can generate passcodes for all the users from the directories assigned to the IdP.

Next, copy or delete the recovery code for a user.

Copy or delete the recovery code for a user

Access the MFA enabled directory assigned to the user to generate the recovery code for the user.

1. To validate the user check a valid form of authentication like employee ID number or any other document used by the organization.

   📘

   Validate the user with a valid form of authentication before you provide them with a recovery code.

2. Log in to Enterprise Center.

3. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Directories.

4. Select the directory that includes the user for whom you want to generate a recovery code.

5. Click Users.

6. Select the user for whom you want to generate a recovery code.

7. Select Generate Recovery Code.
   The Generate recovery code dialog appears.

8. Select the identity provider associated with the application and click OK.

9. Set the expiration period and note the expiration time for the recovery token. The default expiration period is 24 hours. After the expiration period, the recovery token is automatically deleted.

10. Copy or delete the recovery code.

    1. To copy the recovery code, click COPY.

    2. To delete a previously generated recovery code, click DELETE.

11. Click OK.

12. Provide the recovery code to the validated user.

Next, use a recovery code to log into an application.

Use a recovery code to log into an application

When a user gets a recovery code as an alternative to MFA from the administrator, they should follow the below procedure to log into the application.

1. Log in with your credentials.

2. Enter the authentication code you receive.
   A code is sent to the user's email, if email has been set up as the MFA factor. A code is sent to user's cell phone, if SMS has been set up as the MFA factor.

3. If you do not have any authentication device, to get a recovery code use Click here option. Click Contact Administrator.

4. Enter the recovery code and click VERIFY.
   User logs into the application.