Create bypass codes

A bypass code is used to allow users to log in to an application if they lose access to their second factor.

Bypass codes can be created by operators with admin and support roles.

If users are unable to use their second factor, they can use a bypass code within the specified timeframe during its creation. However, if their 2FA is permanently lost, a support operator needs to manually delete it from the user's profile and allow them to reenroll.

To create a bypass code, identify the user in the global or Application Representation scope and click the Bypass button.

In the dropdown list below Status, choose the validity period for the code.

Once selected, make sure to copy it and deliver it to the user securely. Once you close the window with the code, it will disappear and there will be no way to retrieve it (though you can generate a new bypass).

To verify the status of the bypass code, click the Bypass button. You will see if the code is enabled, how many failed attempts the user made, and when it will expire.

The number of failed attempts allowed is configured by the Administrator—by default, 3 attempts are allowed. If a user exceeds this amount, the bypass code will be blocked, and a new one will need to be generated. The user will not receive an error indicating that the code was blocked.

By design, users are not allowed to reset their own second factor. If they lose, for example, a U2F key and wish to remove it from Secfense configuration to add a new one (reenroll to 2FA), they need to ask Support or Help Desk to do it for them.