Defender SMS Soft Token Setup Guide (4249268)

How to setup and configure Defender SMS Tokens

• works with any device capable of receiving SMS

• sends a one-time password (OTP) directly to a specified mobile device

• supports all applications protected by Defender

Mobile Provider

An account with an external mobile provider service is required to send Defender SMS token responses to a cell phone.

*** The current implementation of Defender (up to 5.9.5) does not allow the passing of custom SMS data via the URL.
e.g https://smsprovider/{mobile}/smsotp/

To enable the use of Defender SMS Soft Tokens the following steps are required:

1. Ensure you have a valid Defender Universal Desktop Token License installed. This can be verified by located the PGODTL_UNIVERSAL license object in Active Directory. The default location for this object is the Defender OU in the root of your domain. 

2. Create a new Defender Policy Object and edit the settings on the SMS Token tab. Check the "Enable SMS Token" box, choose whether you want the phone to receive codes automatically, or only by request and then file out your mobile provider information.

The screen shot below shows an example configuration. The details may vary depending on the mobile provider you choose.



The "Keyword" field can be used to provide a word or phrase that users enter when prompted for Defender Token authentication.  If the correct "Keyword" is entered by the user then a Token response will be sent to user.  Please see step 4 for further details.

The example "POST Data" provided can be changed depending on the requirements of your mobile provider.

Policy example:



The Policy details above are an example showing the settings for a policy requiring the user to enter their token response only.  This can be changed as required.

Once configured the policy should be assigned to either:

• The relevant Access Node that will handle the incoming authentication requests
• Directly to an Active Directory group or user account
• the Defender Security Server (DSS) that will be used to handle incoming authentication requests

3. Program a Defender SMS Token for each user that will be using this service. This can be done by clicking the "Program" button on the Defender tab of the user's properties or by choosing the "Program Tokens..." option under the Defender menu at the top of the screen. After the token programming wizard is completed, the new token will be listed in the user's properties, as shown below.



The user’s mobile telephone number must also be provided. This is entered on the "Telephones" tab on the user’s properties page:



4. To authenticate using the Defender SMS token:

Because the user is sent the required token response via SMS, the user needs to request the token from Defender.  When prompted by Defender for the token response the user can either enter the "Keyword" that has been configured within the "Mobile Provider" settings ( please see step 2 above).



Or enter the PIN that has been configured for their Defender SMS token using the "Set PIN" option on the "Defender" tab of the users properties page.



Either of these responses will alert Defender that the user requires a token response and will send this via SMS.  If a PIN has been set on the token then this must also be entered when entering the token response, i.e., if the PIN is set to ‘1234’ and the token response received via SMS is ‘934512’ then the user would enter ‘1234934512’.



If the information entered is correct, the user will be authenticated by Defender and granted access.