Automatic Account Recovery allows Futurae users to automatically migrate their Futurae 2FA accounts that are enrolled in a previous device, to a new one. This is a very practical process that reduces the time and cost involved in activating a new device with Futurae 2FA each time an existing device is lost or replaced.
How it works?
Automatic Account Recovery relies on a secret recovery token that is generated by the Futurae backend and exchanged with the authenticator app, every time the user activates a freshly installed Futurae authenticator or white label app (or a customer app that integrates the Futurae mobile SDK) for the first time.
On Android, the recovery token is stored using the device Key-Value backup (part of the official Google Drive/One backup mechanism), while on iOS it is stored in the iCloud or local encrypted backup, as well as the local keychain of the device.
A freshly installed authenticator app (that supports Automatic Account Recovery) will confirm if a valid recovery token exists and in case it does, will use it to authenticate the communication with the Futurae backend and check if the user has Futurae account(s) that can be recovered from his old device. When at least one account is recoverable, the authenticator app will let the user decide whether to perform Automatic Account Recovery or not.
The recovery token is exclusively required for the Automatic Account Recovery process, and can only be used once. In other words, when the user completes the recovery process, the used recovery token becomes invalid.
Upon successful migration, the user account is re-initialized on the new device. Only the accounts which belong to a Futurae Service that has the Automatic Account Recovery feature enabled (see Enabling Automatic Account Recovery) can be recovered.
The new device will be provisioned with a fresh recovery token which, once backed up, will allow for any activated accounts to be further recovered in a newer device at a later point in time.
Enabling Automatic Account Recovery
Before being able to perform the account recovery, a few conditions must be met on both customer's (responsible for the Futurae Service) and end user's side:
- The Automatic Account Recovery feature must be enabled for the Futurae Service that the user belongs to. This can be done at Futurae Admin by selecting the respective Service on the left Panel and going to Service "Settings" >> "Configuration"
- Your authenticator app must support the Automatic Account Recovery feature. This feature is already supported by the Futurae app and is available for the Futurae white label app upon request. When it comes to the Futurae mobile SDK, please follow the links available in the Useful References section of this article on how to integrate this functionality
End user prerequisites
- The user must have had the Android/iOS backup enabled on the old device, and must have performed at least one successful backup
- For iOS devices, the iCloud Keychain must be enabled on both the old and new devices (this is required for additional security as described in the Security considerations section)
- On the new device, the user must be logged in with the same Google/Apple account used on the old device and restore a backup of the old device that contains the recovery token
- The user must have not enrolled any account yet on the new device (i.e., it must be a fresh installation)
Instructions to enable the Android/iOS backup, as well as the iCloud Keychain, may be found on the links shared in the "Useful references" section of this article.
How to recover my accounts on a new device?
Here is an example of how the user experience is in the Futurae authenticator app (this is also similar in a Futurae white label app that supports Automatic Account recovery). As soon as the user installs the app on the new device and opens it, and assuming the device has online connectivity, the app will display a message informing the user of the possibility of recovering the active accounts, which are enrolled in the previous device.
Upon pressing the Automatic Account Recovery message, the user will have to confirm whether to proceed with the process or cancel it. By accepting the process, the user's Futurae accounts will be automatically removed from the old device and enrolled on the new one.
There's also the option to resume the recovery process later, through the "More" tab of the app.
Nevertheless, please note that in case the user enrolls a new account on the new device before performing Automatic Account Recovery, the user won't be able to perform the recovery anymore.
Can I recover my accounts on the same device after reinstalling the app?
Yes. The requirements are basically the same, except that in this case there is no need to worry about restoring the backup on a new device. Since the recovery token is kept in the local keychain on iOS devices, as well as automatically restored from the key-value backup on Android devices once you reinstall the authenticator app, the Automatic Account Recovery message will be displayed so that you can start the process. (Note for Android: the recovery token must of course be already backed up in the Key-Value backup of the device.)
As described above, the Automatic Account Recovery process is authenticated by a secret recovery token that is securely stored on the device and the device backups.
Since Android Pie, backups are stored encrypted. The encryption key is protected with the device
PIN / pattern / password lock, in case the user has enabled it.
When it comes to iOS, the backups are stored encrypted (on the cloud, or locally on a computer). The encryption key is protected with the device PIN / password lock (for local backups), or by the username / password (for iCloud backups). Moreover, since the Automatic Account Recovery mechanism is designed to require the iCloud keychain to be enabled, we can ensure that for users on iOS 13 or later two-factor authentication must be enabled for their Apple ID accounts.
You can further enhance the security of Automatic Account Recovery, by using Futurae Adaptive Authentication. In a nutshell, Adaptive Authentication will evaluate the risk of a recovery request and decide whether to accept or reject it, based on the user's contextual information. For additional information, please get in touch with our sales team by filling the form available here.
Android SDK Automatic account recovery guide
iOS SDK Automatic account recovery guide
Enabling backup Android devices
Android key value pairs backup
Enabling backup on iOS devices
iOS Keychain services
Enabling Keychain on iOS device