About Account Recovery
note
Account recovery is available for Enterprise organizations.
Account recovery allows owners, admins, and some custom role members to recover member accounts in the event that a member forgets their master password or loses their trusted devices. Account recovery:
Can be activated for an organization by turning on the Account recovery administration policy.
Requires that members enroll, using automatic enrollment or through self-enrollment, to be eligible for account recovery. Enrollment triggers the key exchange that makes account recovery secure.
Does not bypass members' two-step login or SSO. If a two-step login method is enabled for the account or if the organization requires SSO authentication, members will still be required to use these methods to access their account after recovery.
More information
Who can recover accounts
Account recovery can be executed by owners, admins, and permitted custom users. Account recovery uses a hierarchical permission structure to determine who can reset whose master password, meaning:
Any owner, admin, or member with a custom role that includes Manage account recovery can reset a user's or custom role member's master password.
Only an admin or owner can reset an admin's master password.
Only an owner can reset another owner's master password.
Event logging
Events are logged when:
A master password is reset using account recovery.
A user updates a password issued through account recovery.
A user enrolls in account recovery.
A user withdraws from account recovery.
How it works
When a member of the organization enrolls in account recovery, that user's encryption key is encrypted with the organization's public key. The result is stored as the Account Recovery Key.
When an recovery action is taken:
The organization private key is decrypted with the organization symmetric key.
The user's Account Recovery Key is decrypted with the decrypted organization private key, resulting in the users's encryption key.
The user’s encryption key is encrypted with a new master key and a new master password hash is seeded from the new master password, both the master key-encrypted encryption key and master password has replace pre-existing server-side values
The user's encryption key is encrypted with the organization's public key, replacing the previous Account Recovery Key with a new one.
At no point will anyone, including the administrator who executes the reset, be able to see the old master password.
Next steps
Set up account recovery by turning on the Account recovery administration policy .
Instruct users to enroll in account recovery if they joined before the policy was turned on or if you didn't turn on automatic enrollment.
Learn how to recover the account of an enrolled member.
Provide members with instructions on what to do when their account is recovered.