Knogin
[Developers]

MFA Backup Codes: Secure Multi-Factor Authentication Recovery

A field investigator's phone dies on the morning they need to access the platform for a time-sensitive warrant application. Their TOTP authenticator app is inaccessible. Without a recovery path, they are locked out until

Back to All Modules
Category: ManagementLast Updated: Feb 4, 2026
managementblockchain

Overview#

A field investigator's phone dies on the morning they need to access the platform for a time-sensitive warrant application. Their TOTP authenticator app is inaccessible. Without a recovery path, they are locked out until IT support intervenes, usually at exactly the wrong moment. MFA Backup Codes give that investigator a way back in through a one-time recovery code they generated and stored beforehand, without involving the help desk or weakening the overall authentication posture.

Each code set contains ten cryptographically generated codes. Every code works exactly once. After use, it is invalidated immediately. Users who exhaust their codes or suspect a set has been compromised can regenerate a fresh batch, which automatically invalidates the old ones.

Open Standards#

  • Argon2id (RFC 9106 / PHC): All newly generated backup codes are hashed with Argon2id at 64 MiB memory, 3 iterations, and parallelism 4, providing memory-hard resistance against offline GPU/ASIC attacks.
  • PBKDF2-HMAC-SHA-256 (RFC 8018): Legacy backup code hashes stored under the prior PBKDF2 scheme remain verifiable; the iteration count is validated against a policy floor of 100,000 and ceiling of 1,000,000 before verification proceeds.
  • HMAC (RFC 2104): Constant-time digest comparison via hmac.compare_digest is applied to legacy hash paths during backup code verification to eliminate timing side-channels.
  • TOTP (RFC 6238) and HOTP (RFC 4226): Backup codes are the designated fallback when the primary TOTP authenticator is unavailable, and the authentication flow integrates with the TOTP verification pipeline.
  • FIDO2 / Web Authentication (W3C WebAuthn Level 2): Backup codes serve as a universal recovery path alongside FIDO2 passkeys and hardware security keys enrolled through the WebAuthn registration ceremony.
  • JSON Web Token (RFC 7519) with Authentication Methods References (RFC 8176): A successful backup code redemption populates the amr claim with the value otp in the issued JWT, allowing downstream services to assert the authentication assurance level.
  • OWASP Application Security Verification Standard (ASVS) v4, V2.3.3 / V2.7.1: Low-balance renewal reminders (ASVS V2.3.3) and rate limiting on verification and regeneration endpoints (ASVS V2.7.1) are explicitly mapped to these requirements in the service code.

Last Reviewed: 2026-02-04 Last Updated: 2026-04-14

Key Features#

Backup Code Generation#

Codes are generated using Python's secrets module (a CSRNG). The 8-character alphanumeric format uses a character set that excludes visually similar characters (0/O, 1/I/l) to prevent transcription errors. Ten codes are issued per set by default, configurable per organisational policy.

  • Format: XXXX-XXXX using ABCDEFGHJKLMNPQRSTUVWXYZ23456789
  • Case-insensitive validation: Codes are normalised to uppercase before comparison
  • Batch replacement: Regenerating a set immediately invalidates all previous codes

One-Time Verification#

Each code can be used exactly once. The platform stores only the bcrypt hash, never the plaintext. After a successful match, the hash is removed immediately. Constant-time comparison prevents timing attacks during hash matching.

  • Automatic invalidation: Used codes are removed from the database on the same request that matches them
  • Audit logging: Every verification attempt, successful or not, is recorded with timestamp and source IP

Recovery Mechanism#

Backup codes integrate with TOTP, FIDO2 passkeys, SMS, and hardware key MFA methods. High-risk recovery attempts trigger step-up challenges based on risk assessment signals.

Code Management#

Users can monitor remaining code count, view usage history, and regenerate codes through the self-service account interface. Administrators can enforce regeneration intervals and monitor backup code usage patterns across the organisation.

  • Automatic expiration: Configurable code expiration period (default: 365 days)
  • Usage analytics: Dashboard view of consumption trends and remaining code counts

Use Cases#

  • Field staff and law enforcement officers with primary MFA devices that are unavailable during operations
  • Government IT departments reducing account lockout incidents that require help desk escalation
  • Compliance officers ensuring every user has a tested recovery path before MFA is made mandatory across the organisation
  • Security teams monitoring backup code usage patterns to detect potential account compromise through unusual consumption rates

Integration#

  • Identity providers for single sign-on environments where backup codes serve as a universal fallback
  • SIEM platforms for security event correlation on backup code usage
  • Organisational directory services for policy enforcement across user groups
  • Compliance reporting platforms for MFA coverage and recovery pathway audit documentation

Ready to Build?

Get started with our APIs or contact our integration team for support.