Backup Codes for Azure MFA
Please add support for "Backup Codes" to Azure MFA as soon as possible. Many popular MFA services already support Backup Codes, basically a list of 10 valid authentication codes that a user can print off and use in situations where there regular authentication method is not available.
Use cases for backup codes include:
- User's mobile phone is lost, stolen, or damaged.
- User will be in an area with out good mobile phone service or consistent access to a land line.
- Users let's mobile phone battery drain..
There is planned work to address this scenario. We don’t feel that backup codes provide a good security option as they’re often misplaced. Also, it’s hard to have users print them out and have them when they’re needed. Instead, we are looking at a time-limited passcode that could be generated either by the user (just in time when it’s needed) or by an admin (for example a helpdesk agent). The organization admin would have control over when a user could generate these codes. The code can be used for a limited time, then it will no longer be valid.
Note – for areas with limited cellphone connectivity (or roaming charges), the code generated in the authenticator app will allow MFA login. The time-limited passcode is meant to stand in if the user temporarily forgot/lost their phone.
Daniel Shlyam commented
@Azure AD Team, it has been a year since the post above. When will "time-limited passcodes" options will be implemented?
What if Azure MFA service is not available? Then we can use backup codes?
Hrvoje Kusulja commented
Ok, any info and ETA when will Azure AD > One-time bypass, work also without need for on-prem MFA server ?
Backup Codes are not secure. If you do not enforce users to keep them encrypted in the safe box they will simply print it and store in the wallet. Then when their device and wallet will be stolen, it's extremely easy to get access to the system. I personally will opt to Multi-Factor-Authentication scenario which means for me that they are able to use: code from the app, SMS code, push notification, backup email, app verification - rather than backup code. Using it in the enterprise for end-users simply decrease the level of security.
Alexander Filipin commented
can you provide some more details how the user could generate the passcode? Wouldn't that require another MFA option like U2F or UAF in the first place? I would like to have two independent MFA options and none of them should be SMS.
This or/and one time bypass are essential functions before we can implement this in our organisation. Please provide a planned implementation date or roadmap for this.
Alexander Filipin commented
Push! This also very important as backup solution if your authenticator app is no longer working (e.g. faulty smartphone).
As far as I understand recovery / backup codes are more secure than a mobile number as MFA backup due to mobile number hijacking from carrier. Without this option you cannot remove the phone number because otherwise there is no MFA fallback option.
Looking forward to FIDO U2F but as of now backup codes are a quick win and common (e.g. Personal Microsoft Account).
This is a required feature for enterprises to seriously consider Azure MFA.
Robin Vermeirsch commented
or just allow support the enable a one time bypass.