What are backup verification codes?
ManageEngine ADSelfService Plus, an identity security solution with multi-factor authentication, single sign-on, and self-service password management capabilities, offers MFA for logins into multiple enterprise endpoints including machine, VPNs, OWA, and cloud applications. With this feature, users have to prove their identity using the default username and password method followed by additional authentication methods such as biometric authentication, hardware authentication, and TOTP. Many of these methods require a mobile device and application, or a hardware key, and in the off-chance that the device or application does not work or is not accessible, the user may lose access to the enterprise network and applications. To prevent this, ADSelfService Plus supports backup verification codes. These are one-time codes that can be generated and saved for use in place of the usual MFA process for identity verification when any authentication method cannot be completed.
How to enable backup verification codes for MFA?
Here are the steps to enable backup verification codes after you have configured MFA in ADSelfService Plus:
- Log in to the ADSelfService Plus admin portal.
Navigate to Self-Service > Multi-factor Authentication > Advanced Settings.
Under Choose the Policy, select the policy for which you have configured MFA and want to enable backup verification codes.
- Go to the General tab, and under the MFA Recovery section check the Enable MFA Backup Verification Codes box.
How to generate the backup verification codes?
Backup codes can be generated in two ways:
- By the user: Users can generate backup codes in the ADSelfService Plus end-user portal. A total of five codes are generated every time the option is used. Each code cannot be used more than once.
- By the admin: Admins can also generate backup codes for users who have enrolled for MFA using the Enrolled Users Report. This comes in handy when users have not generated their own backup codes and cannot use the enrolled MFA methods.
User generated backup verification codes
There are two options to how a user can generate backup codes from the ADSelfService Plus user portal:
Option 1: Using the Enrollment tab
- Log in to the ADSelfService Plus user portal and go to the Enrollment tab.
- Under MFA Recovery, select Generate One-Time Use Backup Codes.
- After generating the backup codes, use the edit icon to access the codes or generate new codes.
Option 2: Using the profile menu
- Log in to the ADSelfService Plus user portal and click the profile icon in the top-right corner.
- Select MFA Recovery from the profile menu that appears.
- Choose what to do with the generated codes:
- Save as Text: Download the codes as a text file.
- Send Email: Email the backup codes to a specific email address.
- Print: Print a hard copy of the codes.
- Click Close.
Admin-generated backup verification codes
- Log in to the ADSelfService Plus admin portal. Go to Reports > Enrollment Reports > Enrolled Users Report.
- The Enrolled Users Report will be displayed. Here, go to the Enrollment Status column and hover over the enrollment status entry of the specific user. Select the MFA Backup Code option that appears
- In the Generate MFA Backup Code section that appears, you will find the following details:
- SAM Account Name: The samAccountName value for the user
- Domain Name: The domain the user belongs to
- Generated time: The date and time that the backup code was generated
- A table displays the generated single-use backup code.
- Use the Expire (Mins) field to specify the number of minutes after which the code will expire.
- Click the copy icon next to the backup code to copy it. The code should be sent or conveyed to the user to let them verify their identity without MFA.
- Click Close.
How to use backup verification codes?
Once backup verification codes are enabled and generated, every time a user has to verify their identity using MFA but cannot access the device or app required for authentication method, they can choose to use the codes instead. The user simply has to select Use backup code and enter the saved backup verification code in the field that appears.