How to enable MFA backup verification code and how to use it

Streamline the MFA process using backup verification codes

What are backup verification codes? 

ManageEngine ADSelfService Plus, an identity security solution with multi-factor authentication, single sign-on, and self-service password management capabilities, offers MFA for logins into multiple  enterprise endpoints including machine, VPNs, OWA, and cloud applications. With this feature, users have to prove their identity using the default username and password method followed by additional authentication methods such as biometric authentication, hardware authentication, and TOTP. Many of these methods require a mobile device and application, or a hardware key, and in the off-chance that the device or application does not work or is not accessible, the user may lose access to the enterprise network and applications. To prevent this, ADSelfService Plus supports backup verification codes. These are one-time codes that can be generated and saved for use in place of the usual MFA process for identity verification when any authentication method cannot be completed.

How to enable backup verification codes for MFA? 

Here are the steps to enable backup verification codes after you have configured MFA in ADSelfService Plus:
  1. Log in to the ADSelfService Plus admin portal.
  2. Navigate to Self-Service > Multi-factor Authentication > Advanced Settings.
  3. Under Choose the Policy, select the policy for which you have configured MFA and want to enable backup verification codes.
  4. Go to the General tab, and under the MFA Recovery section check the Enable MFA Backup Verification Codes box.

 How to generate the backup verification codes? 

Backup codes can be generated in two ways:
  1. By the user: Users can generate backup codes in the ADSelfService Plus end-user portal. A total of five codes are generated every time the option is used. Each code cannot be used more than once.
  2. By the admin: Admins can also generate backup codes for users who have enrolled for MFA using the Enrolled Users Report. This comes in handy when users have not generated their own backup codes and cannot use the enrolled MFA methods. 

 User generated backup verification codes 

There are two options to how a user can generate backup codes from the ADSelfService Plus user portal:
Option 1: Using the Enrollment tab
  1. Log in to the ADSelfService Plus user portal and go to the Enrollment tab.
  2. Under MFA Recovery, select Generate One-Time Use Backup Codes.
  3. After generating the backup codes, use the edit icon to access the codes or generate new codes.
Option 2: Using the profile menu
  1. Log in to the ADSelfService Plus user portal and click the profile icon in the top-right corner.
  2. Select MFA Recovery from the profile menu that appears.
  3. Choose what to do with the generated codes:
    1. Save as Text: Download the codes as a text file.
    2. Send Email: Email the backup codes to a specific email address.
    3. Print: Print a hard copy of the codes.
  4. Click Close.

 Admin-generated backup verification codes 

  1. Log in to the ADSelfService Plus admin portal. Go to Reports > Enrollment Reports > Enrolled Users Report.
  2. The Enrolled Users Report will be displayed. Here, go to the Enrollment Status column and hover over the enrollment status entry of the specific user. Select the MFA Backup Code option that appears
  3. In the Generate MFA Backup Code section that appears, you will find the following details:
    1. SAM Account Name: The samAccountName value for the user
    2. Domain Name: The domain the user belongs to
    3. Generated time: The date and time that the backup code was generated
  4. A table displays the generated single-use backup code.
  5. Use the Expire (Mins) field to specify the number of minutes after which the code will expire.
  6. Click the copy icon next to the backup code to copy it. The code should be sent or conveyed to the user to let them verify their identity without MFA.
  7. Click Close.



 How to use backup verification codes? 

Once backup verification codes are enabled and generated, every time a user has to verify their identity using MFA but cannot access the device or app required for authentication method, they can choose to use the codes instead. The user simply has to select Use backup code and enter the saved backup verification code in the field that appears.

.


                  New to ADSelfService Plus?

                    • Related Articles

                    • SMS and email verification codes

                      With mobile devices becoming almost like an additional limb for most of us, it makes sense to utilize them as a tool to prove our identity. SMS and email verification codes are sent to the registered mobile number or email address of users, and they ...
                    • How to enable offline MFA in ADSelfService Plus

                      ManageEngine ADSelfService Plus supports offline multi-factor authentication (MFA) for Windows machine logins, User Account Control (UAC) prompt elevation, and Remote Desktop Protocol (RDP) server authentication when the product server is ...
                    • Multi-factor authentication techniques in ADSelfService Plus

                      Let's take a look into the various authentication methods supported by ADSelfService Plus for enterprise multi-factor authentication (MFA). Why should you use MFA? Authentication based solely on usernames and passwords is no longer considered secure. ...
                    • Customizing SMS Verification Code Content for User Enrollment in MFA

                      This article explains how to customize the SMS content sent during user enrollment when using the SMS verification code method for Multi-Factor Authentication (MFA). Follow these steps: Log in to the ADSelfService Plus admin portal. Navigate to Admin ...
                    • Migrating from ADSelfService Plus 32-bit to ADSelfService Plus 64-bit

                      This article will help you migrate from ADSelfService Plus 32-bit version to the 64-bit version. Before you begin 32-bit to 64-bit migration is possible only between the same builds. For example, you cannot migrate from a 32-bit version of build 5310 ...