AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens Installation and Upgrading Configuration Token Management How to Log In Troubleshooting
Each AuthLite-aware workstation will create a “recovery token” for each AuthLite user that logs in, and publishes it to your AuthLite data store. If a user is offline from the domain and does not have their token, then an administrator can find the correct recovery token for that user and workstation, and reveal the current OTP value for that token. Reading the value (for example) over the phone to the user, will allow them to enter the value and authenticate to the workstation without their normal token.

To use:

  • Filter the key records to show only the user you want to see (Figure 1)
  • Select “Show Recovery OATH tokens” from the View menu or the toolbar (Figure 2)

  • Locate the correct record for the workstation that the user is trying to log into (Figure 3)

  • In the Properties dialog for this recovery token, click the “Show Current Code” link (Figure 4)

Communicate this OTP to the user in an out-of-band fashion such as via a phone call. Please note that this code will change every 30 seconds. Although there is a grace period around the OATH token's usage, you should wait to view the current OTP code until the user is ready to enter their logon credentials.

The user enters this value in just the same manner as they would use any other normal OATH token. The only difference here is that the code is being viewed by an administrator on the LAN instead of by the user on their phone.


  • To work, this feature requires that you enable OATH tokens in Token Settings.

  • Logon sessions using a recovery token (or an Offline OATH token) cannot acquire 2-factor network logons such as Kerberos or NTLM. It will only authenticate to the workstation's desktop.