Back-up Recovery Code Overview
- Trimble Identity (TID) has implemented a mandatory backup code generation process for all users with Multi-Factor Authentication (MFA).
- These codes (also known as Recovery Codes) are a secure, single-use method to recover access to a TID account.
User Flow
Users with MFA are required to generate and save these recovery codes to ensure continuous and secure access to their TID account.
-
Mandatory Generation : Upon logging in, users are guided through the backup code generation process. Users are prompted to save their codes in a safe place by clicking “Download” or “Copy”
- Generation After Use: If a user utilizes all 10 codes, an option to generate a new set of codes will be presented during the login process when the final code is redeemed, ensuring the user always has a recovery method available.
- Self-Service Generation : Users can also generate new backup codes within the MyProfile application under the MFA section.
-
Recovery Flow : If the primary MFA device is unavailable, the login process allows the user to input a backup code for account access.
-
One-Time Use: Each backup code can only be used once. Upon successful login, the code is immediately invalidated.
- Validity: The codes do not currently have an expiration date and remain valid until they are used.
-
Error Messages : Clear error messages are displayed for codes that are invalid or have already been used.
Authentication Method Reference (AMR) Claim
When a user successfully bypasses the primary MFA method using a backup code, the Authentication Method Reference (AMR) claim is set to “otp”. This occurs instead of the specific MFA method that was skipped.
This means the presence of “otp” in the AMR signifies the successful use of a single-use backup code for recovery in that context.
To maximize the security of your recovery codes:
- Use a Secure Password Manager : Copy your recovery codes and store them within a reputable password manager. This provides encrypted digital storage and easy access when needed.
- Encrypt Downloaded Codes : Download the recovery codes to your device and store them in an encrypted file or volume. Remember to keep the encryption key or password secure and separate from the recovery codes.
- Avoid Unsecured Storage : Do not keep the codes printed out near your computer or in an unsecured wallet.
- Avoid Public Systems : Do not keep the codes in a public or shared system.
- Avoid Unencrypted Communication : Do not send codes via unencrypted email, SMS, or regular chat apps.