Master recovery key

A master recovery key (MRK) is an alternative OTP that can be used to log in to a Windows machine protected by 2FA in situations where the user can not enter a valid OTP,or cannot authenticate by approving a push notification. For example, the user lost his phone where the ESA Mobile Application was installed. An MRK is unique to a user and computer, meaning, User1 and User2 would have a different MRK for PC1. Access via MRK is available even in online and offline mode. Offline use of MRK is available only if the offline mode for given computer is enabled in ESA Web Console in the section of Windows Login Settings. If offline mode is enabled, MRK is also stored locally on the computer in the encrypted and protected cache.

You can use MRK version 2.6 and later for other protection modules of ESA.

To use MRK for authentication:

1.Users cannot obtain an OTP, so they need to call the administrator.

2.The administrator opens ESA Web Console, navigates to Users > clicks the name of the particular user > clicks Actions > selects Show MRK > selects the particular protection module from the Choose component list-box, then selects the particular computer from the Choose computer list-box and clicks Show MRK. At this point a MRK is generated.


3.The administrator provides the obtained MRK to the user and the user can log in entering the MRK instead of OTP.

While the computer is in offline mode, an MRK may be used to log in to the particular Windows machine multiple times.

After first successful connection to ESA Authentication Server the previously generated MRK is invalidated and can not be used anymore, even if it was not used at all.

MRK generated for other protection modules of ESA are valid at most for 1 hour or until regenerated.


MRK for ESA Web Console administrator

In a case where the administrator of the ESA Web Console is unable to authenticate (for example, reinstalled ESA Mobile Application, lost PIN code, lost phone where the ESA Mobile Application was installed), reset ESA Web Console credentials:

1.Run the installer of ESET Secure Authentication again.

2.Click Change.

3.To replace the old account with a new one, enter the original administrator username and a new password when prompted. To create a different account, enter a new username and password.

4.Close the installer when complete.