ESET Online Help

Search English
Select the topic

Master recovery key

A master recovery key (MRK) is an alternative OTP that can be used to log in to a computer or service protected by 2FA in situations where the user cannot enter a valid OTP, or cannot authenticate by approving a push notification. For example, the user lost his phone where the ESA Mobile Application was installed. An MRK is unique to a user and ESA component, meaning, User1 and User2 would have a different MRK for PC1. Access via MRK is available even in online and offline mode for Windows Login Protection. Offline use of MRK is available only if the offline mode for given computer is enabled in ESA Web Console in the section of Windows Login settings. If offline mode is enabled, MRK is also stored locally on the computer in the encrypted and protected cache.

In ESA version 2.6 and later, you can use MRK also for other components than Windows Login.

To use MRK for authentication

The example below uses MRK for Windows Login.

  1. Users cannot obtain an OTP, so they need to call the administrator.
  2. The administrator opens ESAC Web Console, navigates to Users > clicks the name of the particular user > clicks Actions > selects Show MRK > selects the protection module type in Choose type section, then selects the particular computer from the Choose component list, and clicks Show MRK. At this point a MRK is generated.
show_mrk

note

Multiple ESA components

If the user had multiple ESA components listed within a particular protection module (for example, multiple computers within Windows Login protection module), the actual component for which the user is requesting MRK would be listed at the top of the list as Last used.

  1. The administrator provides the obtained MRK to the user and the user can log in entering the MRK instead of OTP.

While the computer is in offline mode, an MRK may be used to log in to the particular Windows machine multiple times.

After first successful connection to ESA Authentication Server the previously generated MRK is invalidated and can not be used anymore, even if it was not used at all.

MRK generated for other protection modules of ESA are valid at most for 1 hour or until a successful login using MRK or other authentication option.