How can we improve Azure Active Directory?

Backup Codes for Azure MFA

Please add support for "Backup Codes" to Azure MFA as soon as possible. Many popular MFA services already support Backup Codes, basically a list of 10 valid authentication codes that a user can print off and use in situations where there regular authentication method is not available.

Use cases for backup codes include:

- User's mobile phone is lost, stolen, or damaged.
- User will be in an area with out good mobile phone service or consistent access to a land line.
- Users let's mobile phone battery drain..

55 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

paul shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
planned  ·  AdminAzure AD Team (Product Manager, Microsoft Azure) responded  · 

There is planned work to address this scenario. We don’t feel that backup codes provide a good security option as they’re often misplaced. Also, it’s hard to have users print them out and have them when they’re needed. Instead, we are looking at a time-limited passcode that could be generated either by the user (just in time when it’s needed) or by an admin (for example a helpdesk agent). The organization admin would have control over when a user could generate these codes. The code can be used for a limited time, then it will no longer be valid.

Note – for areas with limited cellphone connectivity (or roaming charges), the code generated in the authenticator app will allow MFA login. The time-limited passcode is meant to stand in if the user temporarily forgot/lost their phone.

Richard

9 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Daniel Shlyam commented  ·   ·  Flag as inappropriate

    @Azure AD Team, it has been a year since the post above. When will "time-limited passcodes" options will be implemented?

  • KoprowskiT commented  ·   ·  Flag as inappropriate

    Backup Codes are not secure. If you do not enforce users to keep them encrypted in the safe box they will simply print it and store in the wallet. Then when their device and wallet will be stolen, it's extremely easy to get access to the system. I personally will opt to Multi-Factor-Authentication scenario which means for me that they are able to use: code from the app, SMS code, push notification, backup email, app verification - rather than backup code. Using it in the enterprise for end-users simply decrease the level of security.

  • Alexander Filipin commented  ·   ·  Flag as inappropriate

    Hi Richard,
    can you provide some more details how the user could generate the passcode? Wouldn't that require another MFA option like U2F or UAF in the first place? I would like to have two independent MFA options and none of them should be SMS.

  • Tim commented  ·   ·  Flag as inappropriate

    This or/and one time bypass are essential functions before we can implement this in our organisation. Please provide a planned implementation date or roadmap for this.

  • Alexander Filipin commented  ·   ·  Flag as inappropriate

    Push! This also very important as backup solution if your authenticator app is no longer working (e.g. faulty smartphone).

    As far as I understand recovery / backup codes are more secure than a mobile number as MFA backup due to mobile number hijacking from carrier. Without this option you cannot remove the phone number because otherwise there is no MFA fallback option.

    Looking forward to FIDO U2F but as of now backup codes are a quick win and common (e.g. Personal Microsoft Account).

Feedback and Knowledge Base