--- title: Replace lost second-factor authentication devices description: "Estimated time to complete: 15 minutes." component: pingoneaic page_id: pingoneaic:use-cases:use-case-lost-second-factor canonical_url: https://docs.pingidentity.com/pingoneaic/use-cases/use-case-lost-second-factor.html section_ids: lost-second-factor-goals: Goals lost-second-factor-before-begin: Before you begin lost-second-factor-tasks: Tasks lost-second-factor-task-1: "Task 1: Create the journey" lost-second-factor-task-2: "Task 2: Configure the journey" lost-second-factor-validation: Validation lost-second-factor-validation-steps: Steps lost-second-factor-validation-step-1: Register a FIDO2-enabled device and store the recovery codes lost-second-factor-validation-step-2: Use a recovery code to register a new FIDO2-enabled device troubleshooting: Troubleshooting --- # Replace lost second-factor authentication devices Estimated time to complete: 15 minutes *(tooltip: This assumes you complete the prerequisites beforehand.)*. In this use case, you create a journey in PingOne Advanced Identity Cloud that lets end users recover from a lost or stolen second-factor authentication device. The journey uses the [WebAuthn](https://webauthn.guide/#intro) nodes for the [FIDO2](https://fidoalliance.org/fido2/) standard to allow end users to authenticate with a recovery code instead of their missing device. After authentication, they're guided through the process of creating a new passkey for their replacement device. The end user can then remove the old device from their profile. ## Goals After completing this use case, you'll know how to do the following: * Create a journey that includes WebAuthn nodes for FIDO2-enabled device registration and authentication. * Authenticate end users if their registered device is lost or stolen. ## Before you begin Before you start work on this use case, make sure you meet the following prerequisites: * A basic understanding of journeys. * Access to your Advanced Identity Cloud development environment as a tenant administrator. * An [end user](use-case-test-users-and-roles.html) in Advanced Identity Cloud to test the journey. Make sure this user doesn't have any devices registered on their profile. * Two FIDO2-enabled devices to simulate the lost device scenario. A FIDO2-enabled device is a hardware authenticator that lets end users sign on without a password by using public key cryptography. It can be a built-in platform authenticator (for example, Windows Hello or Apple Touch ID) or an external security key (for example, a YubiKey). * A WebAuthn-compatible browser (such as Google Chrome, Mozilla Firefox, Microsoft Edge, or Apple Safari) on the devices you'll use for testing. Learn more in [MFA: Authenticate using a device with WebAuthn and passkeys](../am-authentication/authn-mfa-webauthn.html). ## Tasks ### Task 1: Create the journey 1. Sign on to the Advanced Identity Cloud admin console as a tenant administrator. 2. Go to [icon: account_tree, set=material, size=inline] Journeys > Journeys and click + New Journey. 3. Enter at least the following and click Save: | Field | Value | | --------------- | ------------------------------------------------------------------------------- | | Name | `Device recovery` | | Identity Object | `managed/alpha_user` | | Description | `Device recovery journey to replace lost second-factor authentication devices.` | 4. Click Save. The journey editor opens displaying the journey canvas. 5. Search for and drag the following nodes onto the canvas: * Page node containing: * Platform Username node * Platform Password node * Data Store Decision node * WebAuthn Authentication node * Recovery Code Collector Decision node * WebAuthn Registration node * WebAuthn Device Storage node * Recovery Code Display node * Increment Login Count node 6. Connect the nodes, clicking Save from time to time to keep your work: ![Journey for lost second-factor authentication device recovery](_images/use-case-lost-second-factor/webauthn-with-recovery-codes-journey.png) | Source node | Outcome path | Target node | | --------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- | ------------------------------------- | | Start (person icon) | → | Page node | | [Page node](https://docs.pingidentity.com/auth-node-ref/latest/page.html) | Page node containing:- Platform Username node - Platform Password node | Data Store Decision node | | [Data Store Decision node](https://docs.pingidentity.com/auth-node-ref/latest/data-store-decision.html) | `True` | WebAuthn Authentication node | | | `False` | Failure node | | [WebAuthn Authentication node](https://docs.pingidentity.com/auth-node-ref/latest/webauthn-authentication.html) | `Unsupported` | Failure node | | | `No Device Registered` | WebAuthn Registration node | | | `Success` | Increment Login Count node | | | `Client Error` | Failure node | | | `Recovery Code` This outcome is available only if you enable recovery codes in the WebAuthn Authentication node. | Recovery Code Collector Decision node | | [Recovery Code Collector Decision node](https://docs.pingidentity.com/auth-node-ref/latest/recovery-code-collector-decision.html) | `True` | WebAuthn Registration node | | | `False` | Failure node | | [WebAuthn Registration node](https://docs.pingidentity.com/auth-node-ref/latest/webauthn-registration.html) | `Unsupported` | Failure node | | | `Success` | WebAuthn Device Storage node | | | `Failure` | Failure node | | | `Client Error` | Failure node | | [WebAuthn Device Storage node](https://docs.pingidentity.com/auth-node-ref/latest/webauthn-device-storage.html) | `Success` | Recovery Code Display node | | | `Failure` | Failure node | | [Recovery Code Display node](https://docs.pingidentity.com/auth-node-ref/latest/recovery-code-display.html) | → | Increment Login Count node | | [Increment Login Count node](https://docs.pingidentity.com/auth-node-ref/latest/increment-login-count.html) | → | Success node | ### Task 2: Configure the journey In this task, you'll configure the journey you created in the previous task. 1. Configure the WebAuthn Authentication node to allow recovery codes: 1. Click the WebAuthn Authentication node. 2. In the node configuration, select the Allow recovery codes checkbox and click Save. This enables the `Recovery Code` outcome. 3. Connect the `Recovery Code` outcome to the Recovery Code Collector Decision node. 2. Configure the Recovery Code Collector Decision node to use WebAuthn recovery codes: 1. Click the Recovery Code Collector Decision node. 2. In the Recovery Code Type list, select `WEB_AUTHN` and click Save. This tells the node to validate recovery codes specifically generated for WebAuthn. 3. Configure the WebAuthn Registration node to store device data in a transient state: 1. Click the WebAuthn Registration node. 2. Select the Store device data in a transient state checkbox. This passes the registration data to the WebAuthn Device Storage node, which handles the saving of the device to the user profile. 4. Click Save to save the journey. ## Validation Now that you've created and configured the journey, you're ready to validate the end-to-end flow. The validation process has two parts: * Register a FIDO2-enabled device and store the recovery codes * Use a recovery code to sign on to Advanced Identity Cloud and register a different FIDO2-enabled device ### Steps | | | | - | --------------------------------------------------------------------------------------------- | | | The steps may differ slightly depending on your browser type. The example uses Google Chrome. | #### Register a FIDO2-enabled device and store the recovery codes As a tenant administrator: 1. Sign on to the Advanced Identity Cloud admin console. 2. Go to [icon: account_tree, set=material, size=inline] Journeys > Journeys and click `Device recovery`. 3. In the Preview URL field, click [icon: copy, set=material, size=inline] to copy the journey's URL. 4. Paste the URL somewhere accessible for the next steps. As an end user: 1. Access your first FIDO2-enabled device, for example, a laptop with built-in fingerprint reader. 2. In a browser, paste the URL from the previous steps. | | | | - | --------------------------------------------------------------------------------------------- | | | If you're using the same device as the tenant administrator, use an incognito browser window. | You're prompted to enter a set of end-user credentials. 3. Enter the username and password of the end user you set up in the prerequisites section and click Next. 4. Choose where to save your passkey for the device. For example, `This device` or `Your Chrome profile`. 5. Click Continue. 6. Follow the browser prompts to create your passkey. 7. On the Device sign-in is enabled page, copy or download the recovery codes and store them securely. | | | | - | ------------------------------------------------------------------- | | | The codes won't be shown again, so it's important to save them now. | ![Copy recovery codes](_images/use-case-lost-second-factor/recovery-codes.png) 8. Click Done. After the device is registered, you're signed on to the hosted account pages as the end user. 9. Click Profile on the left menu pane to display the end user's profile information. In the Sign-in & Security section, 2-Step Verification should be `On`. This indicates that a device is registered. ![2-Step Verification On](_images/use-case-lost-second-factor/two-step-verification-on.png) 10. Click Change next to 2-Step Verification to view the registered device. ![Use recovery code](_images/use-case-lost-second-factor/new-security-key.png) 11. Rename the registered device to something recognizable: 1. Next to New Security Key, click [icon: more_horiz, set=material, size=inline] > Edit Name. 2. Enter a new name for the device. For example, `Alex's laptop`. ![Rename registered device](_images/use-case-lost-second-factor/rename-two-step-device.png) 3. Click Save. 12. Sign out of the hosted account pages. #### Use a recovery code to register a new FIDO2-enabled device As an end user: 1. Access your second FIDO2-enabled device, for example, a mobile phone or a laptop using a portable hardware security key. 2. In a browser, paste the journey URL you copied earlier. 3. Enter the username and password of the end user you set up in the prerequisites section and click Next. 4. Click Use Recovery Code. ![Enter recovery code link](_images/use-case-lost-second-factor/use-recovery-code.png) 5. Enter one of the recovery codes you saved in the previous steps and click Next. ![Use recovery code](_images/use-case-lost-second-factor/enter-recovery-code.png) 6. Choose where to save your passkey for the new device and click Continue. 7. Follow the browser prompts to create a new passkey. 8. On the Device sign-in is enabled page, copy or download the recovery codes for the new device and store them securely. | | | | - | ------------------------------------------------------------------- | | | The codes won't be shown again, so it's important to save them now. | After the device is registered, you're signed on to the end user's hosted account pages. 9. Click Profile on the left menu pane to display the end user's profile information. 10. Click Change next to 2-Step Verification. There are now two devices registered for the account. ![Use recovery code](_images/use-case-lost-second-factor/two-registered-devices.png) 11. Rename the new registered device to something recognizable: 1. Next to New Security Key, click [icon: more_horiz, set=material, size=inline] > Edit Name 2. Enter a new name. For example, `Alex's new laptop`. 3. Click Save. 12. Remove the old device from the end user's profile: 1. Click Change next to 2-Step Verification. 2. For the old device, click [icon: more_horiz, set=material, size=inline] > Delete. 3. Confirm the removal by clicking Delete device. 13. Sign out of the Advanced Identity Cloud end-user UI. ## Troubleshooting If you encounter issues during validation, consider the following: * If you can't sign on using a recovery code, make sure the code is valid and hasn't already been used. * If you can't register a new device, make sure your browser supports WebAuthn and that you're following the browser prompts correctly.