One of the authentication options offered by Password Manager is a phone-based authentication. It allows you to require users to enter a verification code on the Self-Service or Helpdesk Site. The verification code can be sent as an SMS or automated call. The phone-based authentication service is by provided by TeleSign.
About Password Manager
Getting started
Different sites for different roles
Password Manager components
Licensing
Installing Password Manager: Checklist
Installing Password Manager
Password Manager architecture
Configuring the Password Manager service account and the application pool identity
Enabling HTTPS
Installing Password Manager
Initializing instance
Installing Password Manager Self-Service Site and Helpdesk Site on a standalone server
FailSafe support in Password Manager
Installing multiple instances of Password Manager
Specifying Custom Certificates for Authentication and Traffic Encryption Between Password Manager Service and Websites
Step 1: Obtain and install custom certificates from a trusted Windows-based certification authority
Step 2: Providing certificate issued for server computer to Password Manager Service
Step 3: Providing certificate issued for client computers to Self-Service and Helpdesk Sites
Configuring Management Policy
Configuring user scope
Password Manager components and third-party applications
Management policies
Password Manager Service and Administration Site
Self-Service Site
Helpdesk Site
Password Policy Manager
Secure Password Extension
Offline Password Reset
Migration Wizard
TeleSign
SQL Server Database and SQL Server Reporting Services
One Identity Quick Connect Sync Engine
Defender
Password Manager Secure Token Server
RADIUS Two-Factor Authentication
Redistributable Secret Management Service
Location sensitive authentication
Password Manager permission checker
Working with Power BI templates
Password Manager Credential Checker
Typical deployment scenarios
Simple deployment
Deployment of the Password Manager Self-Service and Helpdesk Sites on standalone servers
Realm deployment
Multiple realm deployment
Password Manager in a perimeter network
Installing Password Manager in perimeter network with read-only domain controllers
Installing Password Manager in perimeter network with reverse proxy
Installing Password Manager in perimeter network without AD DS
Management Policy overview
Password policy overview
Using One Identity password policies
Using fine-grained password policies
Applying multiple password policies
Using Password Policy Manager
Secure Password Extension overview
Locating Self-Service Site
reCAPTCHA overview
Obtaining Self-Service Site URL from service connection point
Changing the Self-Service Site URL on the Administration Site
Launching user notification
How reCAPTCHA works
How to use reCAPTCHA V2 on Password Manager sites
System requirements for using reCAPTCHA
References
User enrollment process overview
Questions and Answers policy overview
Password change and reset process overview
Resetting and changing password in connected systems
Enforcing password history when resetting password
Replicating password changes
Data replication
Phone-based authentication service overview
Checklist: Configuring Password Manager
Understanding Management Policies
Adding or cloning a new Management Policy
Configuring access to the Administration Site
Configuring access to the Password Manager Self-Service Site
Configuring access to the Helpdesk Site
General Settings
Specifying advanced settings for domain connection
Changing the domain management account
Removing a domain connection
Configuring Questions and Answers policy
Creating secret questions
Adding secret questions
Editing and deleting secret questions
Configuring Q&A profile settings
Workflow overview
Custom workflows
Custom activities
Custom activity settings
Creating custom activities
Importing and exporting custom activities
Removing custom activities
Password Manager Self-Service Site workflows
Register
Manage My Profile
Forgot My Password
Manage My Passwords
Unlock My Account
My Notifications
I Have a Passcode task
Password Manager Self-Service Site activities overview
Helpdesk workflows
Authentication activities
Display CAPTCHA
Authentication methods
Authenticate with password
Authenticate with Q&A profile (random questions)
Authenticate with Q&A Profile (specific questions)
Authenticate with Q&A Profile (User-selected questions)
Authenticate with Defender
Authenticate with external provider
Authenticate with RADIUS Two-Factor Authentication
Authenticate via phone
Authenticate with passcode
Action activities
Register
Manage My Profile
Edit Q&A Profile
Reset Password in Active Directory
Changing passwords in Active Directory
Reset Password in Active Directory and Connected Systems
Changing password in Active Directory and connected systems
Reset password in connected systems through embedded connectors
Unlock account
Enable Account
Force user to change password at next logon
Subscribe to notifications
Lock Q&A Profile
Display user agreement
Restart workflow if error occurs
Issue BitLocker Recovery Key
Provide product feedback
Notification activities
Assign Passcode
Reset Password
Unlock Account
Unlock Profile
Verify User Identity
Enforce Update of Profile
Helpdesk Activities Overview
Notification activities
Customizing notifications
Email user if workflow succeeds
Email user if workflow fails
Email administrator if workflow succeeds
Email administrator if workflow fails
User enforcement rules
General Settings overview
Search and logon options
Importing and exporting configuration settings
Outgoing mail servers
Diagnostic logging
Scheduled tasks
Upgrading Password Manager
Invitation to Create/Update Profile Task
Reminder to Create/Update Profile Task
Reminder to Change Password Task
Active Directory Sites
Maximum Password Age Policy Task
User Status Statistics Task
Clear Old Records from Reporting Database
Environment Health Checker Task
Update RADIUS server status
Web Interface customization
Instance reinitialization
Realm Instances
Domain Connections
Using domain connections
Specifying access account for domain connections
Changing the access account for domain connections
Specifying advanced settings for domain connection
Removing a domain connection
Extensibility features
RADIUS Two-Factor Authentication
Internal Feedback
Customizing help link URL
Password Manager components and third-party applications
Unregistering users from Password Manager
Bulk Force Password Reset
Fido2 key management
Working with Redistributable Secret Management account
Redistributable Secret Management Service supported platforms
Customizing Redistributable Secret Management log path
Email templates
Upgrade requirements
About Secure Password Extension
Upgrading multiple instances of Password Manager
Upgrading Password Manager
Administrative Templates
In-place upgrade from 5.8.2 or later versions to 5.14.0
Manual upgrade from 5.9.x or later versions
Running the Migration Wizard
Modifying the service account
Converting Q&A Profiles
Upgrading Secure Password Extension
Upgrading Password Policy Manager
Installing Administrative Templates
Configuring Administrative Templates
Updating Administrative Templates
Removing Administrative Templates
Secure Password Extension
Configuring access to the Self-Service Site from the Windows login screen
Deploying and configuring Secure Password Extension
Password Policies
Deploying Secure Password Extension
Configuring Secure Password Extension
Managing Secure Password Extension using Administrative Templates
Uninstalling Secure Password Extension
About Password Policies
Installing Password Policy Manager
Uninstalling Password Policy Manager
Creating and Configuring a Password Policy
Managing Password Policy scope
Deleting a Password Policy
Enable 2FA for administrators and helpdesk users
Reporting
Reporting and User Action History overview
Password Manager integration
Accounts used in Password Manager
Using Reports
User Action History
Managing Connections to SQL Server and Report Server
Setting up Reporting environment
Best practices for configuring Reporting Services
Password Manager Service account
Application pool identity
Domain management account
Password policy account
Account for using One Identity Quick Connect
Open communication ports for Password Manager
Customization options overview
Customization of steps in Password Manager Self-Service Site, and Helpdesk Tasks
Email notification customization
User agreement customization
Account search options customization
Web Interface customization
Customization of Password Policies list
Customization of Password strength meter
Customization of user name
Third-party contributions
Glossary
Phone-based authentication service overview
How phone-based authentication works
Password Manager architecture > Phone-based authentication service overview > How phone-based authentication works
When starting a workflow containing phone-based authentication, Password Manager checks whether the phone-based authentication service is enabled in the provided license. The workflow is executed only if this service is enabled in the license.
-
On the Self-Service or Helpdesk Site, a user selects their preferred phone number and verification method (SMS or automated call). This data is sent to Password Manager Service. Password Manager Service gets the phone numbers from the Active Directory attributes specified in the workflow settings.
-
Password Manager Service generates a verification code and transfers the code, selected phone number, and verification method to TeleSign Service. HTTPS is used to send the data. The generated verification code is stored until the workflow is ended. Only one code is stored at a time.
-
TeleSign Service sends an automated call or SMS to the user’s mobile phone with the verification code. The language of the automated call depends on the user interface language of the Self-Service or Helpdesk Site.
-
The user enters the verification code on the Self-Service Site, then the code is sent to Password Manager Service.
-
Password Manager Service checks the verification code, if it is correct, the user is granted access to further steps on the Self-Service Site.
How to use phone-based authentication
Password Manager architecture > Phone-based authentication service overview > How to use phone-based authentication
To use phone-based authentication on the Self-Service and Helpdesk sites, add the Authenticate via Phone activity in self-service and helpdesk workflows. When configuring this activity, you can specify Active Directory attributes from which phone numbers can be retrieved, and available authentication methods: that is, SMS or automated voice call.
Phone numbers that belong to Private Branch Exchange (PBX) are also supported. PBX phones require either a live switchboard operator or an automated attendant to complete the call. By default, Password Manager supports automated attendant scenario. It can be configured for live operators by changing PhoneNumberExtensionType parameter in QPM.Service.Host.exe.config file. For automated attendants, set PhoneNumberExtensionType to 1 and for live operators, set PhoneNumberExtensionType to 2.
For PhoneNumberExtensionType set to 1 (DTMF digits are dialed), include commas in the PhoneNumberExtensionTemplate, where each comma represents one second pause in the dialing sequence. To increase the pause in the dialing sequence, add the required number of commas in PhoneNumberExtensionTemplate in the configuration file.
NOTE: The phone number extension must be configured with extension separator in the Active Directory. Phone number with extension must have "x" or "X" in it to separate the extension number from the phone number as given in the following examples:
+91-98881234567 Extension 1234
+91-98881234567 Ext 1234
+91-98881234567 Extn 1234
+91-98861234567 x 1234
+91-98861234567 Ex 1234
For more information on configuring this activity, see Authenticate via phone.
System requirements
To use the phone-based authentication service, the following requirements must be met:
-
You have a valid license for the phone-based authentication service (see the About page of the Administration Site for the service status).
-
Outbound SSL connections are allowed from the computer on which Password Manager Service runs to the following address: https://*.telesign.com. * can be replaced with any valid subdomain name; for example, https://api.telesign.com or https://www.telesign.com.