Master recovery key

A master recovery key (MRK) is an alternative OTP that can be used to log in to a computer or service protected by 2FA when the user cannot enter a valid OTP or authenticate by approving a push notification.For example, the user lost the phone on which the ESA Mobile Application was installed. An MRK is unique to a user and ESA component, meaning User1 and User2 would have a different MRK for PC1. Access via MRK is available even online and offline for Windows Login Protection. Offline use of MRK is available only if the offline mode for the given computer is enabled in the ESA Web Console in the Windows Login settings section. If offline mode is enabled, MRK is stored locally on the computer in the encrypted and protected cache.

In ESA version 2.6 and later, you can also use MRK for components other than Windows Login.

To use MRK for authentication

The example below uses MRK for Windows Login.

1. Users cannot obtain an OTP, so they need to call the administrator.
2. The administrator opens ESA Web Console, navigates to Users > clicks the name of the specific user > clicks Actions > selects Show MRK > selects the protection module type in the Choose type section, then selects the specific computer from the Choose component list, and clicks Show MRK.At this point, an MRK is generated.

3. The administrator provides the obtained MRK to the user, who can log in to enter the MRK instead of OTP.

While the computer is offline, an MRK may be used to log in to the particular Windows machine multiple times.

After the first successful connection to the ESA Authentication Server, the previously generated MRK is invalidated and can not be used anymore, even if it was not used at all.

MRK generated for other ESET Secure Authentication protection modules is only valid for one hour or until a successful login using MRK or another authentication option.