Admin ConsoleManage MembersAccount Recovery

About Account Recovery

note

Account recovery is available for Enterprise organizations.

Account recovery allows owners, admins, and some custom role members to recover member accounts in the event that a member forgets their master password or loses their trusted devices. Account recovery:

  • Can be activated for an organization by turning on the Account recovery administration policy.

  • Requires that members enroll, using automatic enrollment or through self-enrollment, to be eligible for account recovery. Enrollment triggers the key exchange that makes account recovery secure.

  • Does not bypass members' two-step login or SSO. If a two-step login method is enabled for the account or if the organization requires SSO authentication, members will still be required to use these methods to access their account after recovery.

More information

Who can recover accounts

Account recovery can be executed by owners, admins, and permitted custom users. Account recovery uses a hierarchical permission structure to determine who can reset whose master password, meaning:

  • Any owner, admin, or member with a custom role that includes Manage account recovery can reset a user's or custom role member's master password.

  • Only an admin or owner can reset an admin's master password.

  • Only an owner can reset another owner's master password.

Event logging

Events are logged when:

  • A master password is reset using account recovery.

  • A user updates a password issued through account recovery.

  • A user enrolls in account recovery.

  • A user withdraws from account recovery.

How it works

When a member of the organization enrolls in account recovery, that user's encryption key is encrypted with the organization's public key. The result is stored as the Account Recovery Key.

When an recovery action is taken:

  1. The organization private key is decrypted with the organization symmetric key.

  2. The user's Account Recovery Key is decrypted with the decrypted organization private key, resulting in the users's encryption key.

  3. The user’s encryption key is encrypted with a new master key and a new master password hash is seeded from the new master password, both the master key-encrypted encryption key and master password has replace pre-existing server-side values

  4. The user's encryption key is encrypted with the organization's public key, replacing the previous Account Recovery Key with a new one.

At no point will anyone, including the administrator who executes the reset, be able to see the old master password.

Next steps