In the SMS OTP authentication method, a one time password (OTP) is sent with the SMS text to the user’s phone. The user receives the OTP and enters it on the device where the authentication is happening. The OTP must be used within a specific time frame. The OTPs delivered through text messages prevent phishing and malicious attacks. SMS OTP is recommended to be used with other methods, such as Password or LDAP Password.
When authenticating on the same smartphone that receives SMS, a user can do one of the following actions based on the platform of smartphone:
iOS: The OTP is auto inserted to clipboard, tap on the input field > OTP displayed above the keyboard.
Android 11 and later versions: Tap Copy <OTP> in the SMS notification then tap on the input field > OTP displayed above the keyboard.
Android 10 and prior versions: Open the SMS notification and copy OTP. Tap on the input field > OTP displayed above the keyboard.
NOTE:In the User’s settings of a repository, ensure that a phone number without extension is used. An SMS is not sent to the user’s mobile where the phone number contains an extension.
To configure the SMS OTP method, specify the following details:
OTP Period: The lifetime of an OTP in seconds. The default value is 120 seconds. The maximum value for the OTP period is 360 seconds.
OTP format: The number of digits in the OTP. The default value is 6.
Body: The text in the SMS that is sent to the user. The following structure describes the text in the OTP:
{otp}: One-Time Password.
NOTE:In Body, the {otp} variable must be placed first to allow Android or iOS to capture the OTP to clipboard.
{user}: Name of the user.
{endpoint}: Device the user is authenticating to.
{event}: Name of the event where the user is trying to authenticate to.
{number}: Sequence of the OTP, user is required to specify to authenticate.
The text in {} contains variables. {otp} is a required variable, and the other variables are optional. Apart from the default variables, the custom variables are not supported. You can customize the text outside {}.
For example:
Company Name: a one-time password for multifactor authentication: {otp}.
{user} is trying to login to {event}. Please approve it by using the OTP: {otp}. Security Department.
Allow re-sending after (seconds): The duration from previous OTP to re-send a fresh OTP for authentication.
User cell phone attribute: The cell phone number of a user on which the OTP is sent through SMS. You can use custom attributes such as mobile, homePhone, ipPhone, and other attributes of a repository. You must define the attribute in User Cell Phone Attributes
of the Repositories section.
NOTE:If you do not configure the attribute in the method settings, then the first attribute defined in the User Cell Phone Attributes
section of Repository configuration is used when the user tries to authenticate. For example, if you define mobile as the first attribute in User cell phone attribute and do not configure the attribute in method settings of SMS OTP, then while authenticating, the first attribute, which is the mobile attribute, is used for the SMS OTP method authentication.
Allow overriding phone number: Option that allows to prevent users from providing a phone number that is not registered in the LDAP repository. The option is set to ON by default. Set to OFF to prevent users to specify a different phone number during the enrollment.
Verify phone number: Option that sends the verification code to a specified phone number and allows users to validate the phone number during the manual enrollment. The option is set to OFF by default. Set this option to ON to permit users to check whether the phone number is valid before the enrollment.
Allow user enrollment without a phone: Option to configure settings for the user to enroll the SMS OTP authenticator without a phone number in the repository.
Set this option to OFF to ensure that a user does not enroll the SMS OTP authenticator without a phone. The user is prompted with an error message that you can specify in Error message.
Set this option to ON to allow the user to enroll the SMS OTP authenticator without a phone.
If the user’s phone number is available in the repository, the account gets enrolled automatically.
Allow as first authentication method: Option that allows a user to authenticate using a chain where SMS OTP authenticator is the first authentication method.
The option is set to ON by default. Set this option to OFF to prevent user from authenticating using a chain where SMS OTP authenticator is the first authentication method.
If the option is set to OFF, and a user tries to authenticate using a chain where the SMS OTP method is the first authentication method, the user is displayed a The method cannot be first in the login chain message and the user cannot authenticate.
NOTE:After configuring the SMS OTP method, it is required to configure the SMS Sender policy to deliver the SMS OTP to users.