- Filter the key records to show only the user you want to see (Figure 1)
Select “Show Recovery OATH tokens” from the View menu or the toolbar (Figure 2)
Locate the correct record for the workstation that the user is trying to log into (Figure 3)
In the Properties dialog for this recovery token, click the “Show Current Code” link (Figure 4)
Communicate this OTP to the user in an out-of-band fashion such as via a phone call. Please note that this code will change every 30 seconds. Although there is a grace period around the OATH token's usage, you should wait to view the current OTP code until the user is ready to enter their logon credentials.
The user enters this value in just the same manner as they would use any other normal OATH token. The only difference here is that the code is being viewed by an administrator on the LAN instead of by the user on their phone.
To work, this feature requires that you enable OATH tokens in Token Settings.
Logon sessions using a recovery token (or an Offline OATH token) cannot acquire 2-factor network logons such as Kerberos or NTLM. It will only authenticate to the workstation's desktop.