Recovery PINs
macOS
Overview
Configuring Recovery Mode
Generating Recovery PINs
Requesting a Recovery PIN
Retrieving the Recovery PIN
Using the Recovery PIN to Log in
Overview
HYPR’s Recovery PIN functionality gives employees temporary access to their workstation if they don’t have their mobile device or if they need to replace it with a new one for any reason. Recovery PINs are auto-generated by the HYPR Mobile app and stored on the server for retrieval by an Administrator when needed.
Configuring Recovery Mode
To make Recovery PINs available to end users, the Administrator must first enable Recovery Mode in the HYPR Control Center. Recovery Mode is disabled by default.
Recovery Mode/Recovery PIN configuration is on the Workstation Settings screen in the Control Center.

In addition to activating Recovery Mode, Administrators can set the following Recovery PIN parameters:
Parameter | Description |
---|---|
Recovery PIN Length | Number of characters used when generating a Recovery PIN (6 to 13) |
Recovery PIN Counter | Number of PINs generated during user device pairing (1 to 10) |
Recovery PIN Lifespan | Number of hours for which the PIN is valid (24 to 72). The timer starts when the user first logs in using the PIN. |
Generating Recovery PINs
The initial Recovery PINs are generated automatically when the user first pairs the HYPR Mobile App or security key with the workstation.

The PINs are subsequently regenerated each time the user authenticates the machine with HYPR.

Note that because PINs are tied to a specific username/machine name combination, they’re only valid for one workstation. Users will need a different PIN for other workstations even if they share the same domain.
Requesting a Recovery PIN
In order to request a Recovery PIN, the user must contact the Administrator and provide the Machine Name and Username for the workstation that needs to be unlocked. This information can be displayed by clicking the Don't have your phone? link on the workstation unlock screen.

The same information also appears by default on the initial login screen when the workstation is started.

Get the Username or Machine Name with an API Call
If the user isn’t able to provide both the username and machine name for some reason, the Administrator can retrieve one or the other via the HYPR API.
To retrieve the username for a given machine name, use this endpoint:
{{url}}/rp/api/oob/client/devices/{{rp-application-name}}/{{machine-name}}
To retrieve the machine name for a given username, use this endpoint:
{{url}}/cc/api/versioned/rpUser/{{username}
For more information, please see the RP User Management and RP Device Management sections in the HYPR Passwordless APIs documentation.
Retrieving the Recovery PIN
After receiving the username and machine name from the user, the Administrator can retrieve the Recovery PIN from the User Management page in the Control Center.


The Administrator can also make a HYPR API call to retrieve the associated PIN via the following endpoint:
{{url}}/rp/api/versioned/recoverypin/retrieve
For example:
curl --location --request POST 'https://highlandsbank.com/cc/api/versioned/recoverypin/retrieve' \
--header 'Authorization: Bearer 110f7826-d95e-12d2-42ce-8bd67fb20bb9' \
--header 'Content-Type: application/json' \
--data-raw '{
"machineName": "Grace'\''s Mac",
"userName": "gracehopper"
}'
If the call is successful, the response includes the Recovery PIN value which can be communicated to the user.
{
"username": "gracehopper",
"machineName": "Grace's Mac",
"validTime": 72,
"pinsRemainingHours": 72,
"recoveryPin": "7m3pzmfb",
"remainingPins": 2
}
For a full description of this call, please see the HYPR Public APIs documentation.
Using the Recovery PIN to Log in
After receiving the PIN from the Administrator, the user enters it on the unlock screen (or initial login screen) to access the workstation.

Note that the PIN validity period starts counting down as soon as the user logs in for the first time. (See Recovery PIN Lifespan in the Configuring Recovery Mode section above.)
Updated about 2 years ago