Temporarily Disable MFA for a User

Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security

If a user forgets their mobile device at home, or they do not have access to it for some other reason, you can use the Forgot Token feature to allow the user to log in without their mobile device for a specific amount of time.

The Forgot Token feature disables multi-factor authentication for a specific user for a specific amount of time. For the amount of time you specify, the user is not required to authenticate with their mobile device in order to log in. When they log in, they are only required to type their user name and password.

You can only enable Forgot Token mode for users that are not blocked and that have at least one active, unblocked token. You cannot enable Forgot Token mode for users that are blocked.

If a user does not have access to their phone because it has been lost or stolen, we recommend that you block their token(s). For more information, see Block or Unblock a Token.

Overview

  1. A user forgets or misplaces the mobile device they use for authentication. They must contact an operator.
  2. The user provides the operator with the Activation Code value shown in the Forgot Token window.
  3. The operator provides the user with a Period value and a Verification Code.
  4. The user types their password and validates the Period and Verification Code. Once validated, the user can log in with their password.

Enable the Forgot Token Feature

To temporarily disable MFA and allow a user to log in to protected resources without their token:

  1. Ask the user to click Forgot Token on the authentication page or the computer logon page (if the Logon app is installed). To get to the authentication page, the user must navigate to the IdP portal or to the URL for any service or application that requires authentication to log in.
  2. Ask the user to provide the Activation Code value shown in the Forgot Token window.

Screen shot that shows the activation code in the Forgot Token window.

  1. Log in to the AuthPoint Management UI and navigate to the Users page.
  2. In the relevant user row, click and select Forgot Token.

Screen shot that shows the menu for a user on the Users page.

  1. In the Forgot Token window, in the Period (hour) text box, type the number of hours that the user can log in without their token.
  2. In the Activation Code text box, type the 6 digit activation code provided to you by your user.

Screen shot that shows the Forgot Token window.

  1. Click Generate to generate a Verification Code.
  2. Provide your user with the Period and Verification Code values. When the user types their password and these two values in the Forgot Token window on the SSO page, they are logged in.

Screen shot that shows the Forgot Token window.

After the user has validated their password and the Period and Verification Code values, they are logged in. For the period of time you specified, AuthPoint multi-factor authentication is disabled for that user and they can log in to any protected resource with only their AuthPoint password. To log in to a resource, the user must click Forgot Token and type their password to log in.

On the SSO page, when the user logs in they can see the amount of time that remains for them to log in without their token.

If the user authenticates with MFA (they use an OTP, approve a push, or scan a QR code), the Forgot Token feature is disabled since this indicates that they have regained access to their token.

If you enable the Forgot Token feature for a user that has the Mobile VPN with SSL client open, the user must completely quit the client before they can connect to the VPN without MFA.

Related Topics

Authentication Without Your Mobile Device

Add New Software Tokens

About Authentication

Resend Activation Email