When users are unable to authenticate through standard methods—such as SMS, email OTP, or TOTP—due to outages, technical issues, or loss of access to their registered device, customer support can assist by providing a temp code. The Temporary Access Code, issued manually by customer support, serves as an alternative authentication method.
This secure solution allows users to regain access to their accounts during recovery flows.
This guide covers the Admin Portal approach, where a help desk admin generates the code directly from the user profile page — no custom backend integration required. For a journey-based integration, see Account recovery with temp code (journey based).
Temporary Access Code authentication combines human verification of the user's identity with validation of the code by Mosaic. The process begins when the user contacts customer support, who verifies their identity using security questions or other manual methods. After verification, a support agent generates a Temporary Access Code directly from the user's profile page in the Admin Portal (Step 4) and securely delivers it to the user via an offline method, such as a phone call or secure message. The user then enters the code, along with their identifier, in the client app (Step 3). Mosaic validates the Temporary Access Code to complete the process.
If this is your first time integrating with Mosaic, create an application in the Admin Portal as described here and create user. This flow can only be used for existing users.
Configure temp code settings in the Admin Portal > B2C or B2B Identity based on your setup > Authentication methods > One-time passcodes. Temp code shares the same settings as OTPs:
- Expiration time: set how long the code remains valid (in minutes). Default: 5 minutes.
- Code length: set the length of the one-time code.
- Lockout: configure the simple lockout policy:
- Failed attempts allowed before lockout: set the number of failed attempts that trigger a temporary lockout. Default: 3.
- Lockout duration: define how long the user must wait before they can try again. Default: 15 minutes.
- Cross-client OTP flow: enable this setting to allow one client to initiate OTP generation while a different client submits it. This must be enabled for admins to generate codes from the Admin Portal.
To allow users to authenticate using a Temporary Access Code, provide a UI where they can enter their User ID and Temporary Access Code. Expected flow:
- The user enters their User ID and Temporary Access Code.
- The client app submits both values to validate the code against Mosaic.
- On success, the user regains access. On failure, display an appropriate error message.
- The user must already exist in the app and be associated with it.
- The admin performing this action must have the Generate temporary access code (Write) permission under the Users tree. See Manage admin users.
Once the user's identity has been verified:
- From Admin Portal > B2C or B2B Identity based on your setup > Users page, click the relevant user, then select the Applications tab.
- On the relevant application row, click
> Generate temporary access code. - The generated code is displayed in a modal. Copy it and securely provide it to the user (e.g., via phone call or secure chat).
The code follows the expiration and lockout policy configured in Step 2.
When a temporary access code is generated via the Admin Portal, an admin_recovery_otp_code_generated event is recorded in the admin activity log. See Admin activity events.