Manage MFA Recovery Codes
Recovery codes allow users to sign in when their MFA device is unavailable. This guide explains how recovery codes work, how to enable and configure them in UserLock, and best practices for secure management.
Useful resources
Recovery codes act as a backup authentication method when a user cannot access their MFA device. They ensure continuity of access without compromising security.
When a user first configures Multi-Factor Authentication (MFA), UserLock generates a list of recovery codes.
Each code can be used only once to complete authentication.
Note
If a workstation is offline (no network connection), recovery codes remain valid until the next synchronization with the UserLock service.
When the workstation reconnects, any previously used codes are automatically marked as used.
Administrators can enable this option in the UserLock Console:
Go to ⚙️ Server settings → MFA → Recovery codes
Then enable Allow recovery codes.
Set the number of codes generated per user. Default is 10, but can be adjusted between 4 and 20 codes according to your security policy or user needs.
To maintain security and usability, consider the following best practices:
Educate users on the purpose of recovery codes and when to use them (only if MFA access is lost).
Instruct users to store their codes in a secure location, such as an encrypted password manager or a sealed printed document kept in a safe place.
Discourage screenshots or plain-text digital copies of codes, as they can easily be compromised.
Rotate codes periodically if your organization requires frequent MFA resets.
Audit MFA usage to identify repeated recovery code use, which may indicate device issues or poor MFA adoption.
Recovery codes are displayed only once during the user’s initial MFA setup.
They cannot be recovered or regenerated later by administrators or users.
If a user loses their codes, MFA must be reset by an administrator.
