Recovery codes

A recovery code is a code that you can use as a backup method to your TOTP (Authenticator) or Web Authentication devices. If you don't have access to your second factor devices by the time that you need to log in, you can use your recovery code instead.

Business-wise, recovery code is not a standalone method but is an "extension" of the Authenticator and Web Authentication methods. When you onboard the Authenticator or Web Authentication method, Safewhere Identify also generates a recovery code for you and you need to save it somewhere safely before you can finish your login.

Generate a recovery code


For Authenticator, after you finish scanning a QR code and entering a valid code, Identify will generate a recovery code for you:

recovery-code-onboarding

The recovery code is a 24-letter random string. You can use the "Copy code" button to copy it to clipboard.

After you check the "I have safely recorded this number", you can click on the "Continue" button to finish the second factor.

Login with recovery code


When you have onboarded your Authenticator app and have a recovery code, on the MFA screen where you need to enter a TOTP, you will see a new option called "Recovery code" under the "Try another method" text.

recovery-code-option

You can click on the "Recovery code" option to log in with your recovery code that was generated for your Authenticator method previously:

recovery-code-login

When your setup has more than one OTP connections, an end user can end up with multiple recovery codes: one code for each connection. As shown in our default view, we provide necessary information for you to inform your users about for what connection a recovery code is.
Showing the user name claim (identity bearing claim in Identify context) on the UI can be a security/privacy risk if it contains a sensitive value. If that is the case, you can simply remove this piece of information when you customize the view.

After you enter a recovery code and submit, Identify will verify the code:

  • If it is wrong, it will render the recover code view to enter again. Because the code is long and random which makes brute-force attack impossible, Identify does not restrict the number of times that you can enter the code for now.
    recovery-code-incorrect
  • If it is correct, Identify will generate a new code for you just like the onboarding process.
    recovery-code-correct

Note that from this moment, your old recovery code is no longer valid. You have to use the new one for the next login.

Offboarding


As mentioned, the recovery code is an extension of the Authenticator and Web Authentication methods, so it will be deleted automatically when you offboard the primary method.

Hosted forms


Identify supports hosted form for two views above:

  • Onboarding succeeded view
  • Recovery code login view

You can find, enable, and customize these two views in the Safewhere Admin:

recovery-code-hostedforms