Master recovery key
A master recovery key (MRK) is an alternative OTP that can be used to log in to a computer or service protected by 2FA in situations where the user cannot type a valid OTP, or cannot authenticate by approving a push notification. For example, the user lost his phone where the ESA Mobile Application was installed. An MRK is unique to a user and ESA component, meaning, User1 and User2 would have a different MRK for PC1. Access via MRK is available even in online and offline mode for Windows Login Protection. Offline use of MRK is available only if the offline mode for given computer is enabled in ESA Web Console in the section of Windows Login settings. If offline mode is enabled, MRK is also stored locally on the computer in the encrypted and protected cache.
In ESA version 2.6 and later, you can use MRK also for other components than Windows Login.
To use MRK for authentication
The example below uses MRK for Windows Login.
1.Users cannot obtain an OTP, so they need to call the administrator.
2.The administrator opens ESA Web Console, navigates to Users > clicks the name of the specific user > clicks Actions > selects Show MRK > selects the protection module type in Choose type section, then selects the specific computer from the Choose component list, and clicks Show MRK. At this point a MRK is generated.
Multiple ESA components If the user had multiple ESA components listed within a specific protection module (for example, multiple computers within Windows Login protection module), the actual component for which the user is requesting MRK would be listed at the top of the list as Last used. |
3.The administrator provides the obtained MRK to the user, who can log in by typing the MRK instead of OTP.
While the computer is in offline mode, an MRK may be used to log in to the specific Windows machine multiple times.
After first successful connection to ESA Authentication Server the previously generated MRK is invalidated and can not be used anymore, even if it was not used at all.
MRK generated for other protection modules of ESA are valid at most for 1 hour or until a successful login using MRK or other authentication option.
Reset ESA Web Console administrator credentials
In a case where the administrator of the ESA Web Console is unable to authenticate (for example, reinstalled ESA Mobile Application, lost PIN code, lost phone where the ESA Mobile Application was installed), reset ESA Web Console credentials:
1.Run the installer of ESET Secure Authentication On-Prem again.
2.Click Change.
3.To replace the old account with a new one, type the original administrator username and a new password when prompted. To create a different account, type a new username and password.
4.Close the installer when complete.
5.Restart the ESET Secure Authentication On-Prem Core service for the change to take effect.