Authenticate with Q&A Profile
Use this activity to authenticate a user with a personal Questions and Answers profile. In this activity you can specify mandatory and helpdesk questions from user’s Q&A profile that a user must answer to be authenticated.
|
IMPORTANT: Note, if the questions you selected in this activity are not found in the user’s Q&A profile, the user will not be authenticated and the workflow containing this activity will not be performed for this user. |
You can select one of the following authentication methods:
- Answers to the specified questions (user’s answer is shown). In this mode, a helpdesk operator will ask a user for complete answers to the specified questions, and then compare them to the answers displayed on the identity verification page.
|
IMPORTANT: This option cannot be used if user answers are not stored using reversible encryption. To store answers using reversible encryption, select the corresponding option in the Q&A profile settings. |
|
NOTE: By default, the answers on the Verify User Identity page are not displayed. To display the answers, you can clear the Hide my answers for security purposes checkbox on the Verify User Identity page. |
- Answers to the specified questions (user’s answer is not shown). In this mode, a helpdesk operator will ask a user for complete answers to the specified questions, and enter the answers on the identity verification page.
|
NOTE: By default, the answers on the Verify User Identity page are not displayed. To display the answers, you can clear the Hide my answers for security purposes checkbox on the Verify User Identity page. |
- Random characters of answers to the specified questions. In this mode, a helpdesk operator will ask a user to tell the specified number of characters in the user's answer to a specified question, and then type in those characters in the appropriate positions on the identity verification page.
Authenticate via Phone
Authenticate via Phone
Use this activity to include phone-based authentication in a helpdesk workflow. If your license includes phone-based authentication service, you will be able to configure and use this activity.
If your license does not include phone-based authentication service and you want to use this service, please contact One Identity Software Support to obtain the necessary license at https://support.oneidentity.com/.
Before enabling phone-based authentication, make sure that users’ phone numbers stored in Active Directory are in a correct format. The phone number must meet the following requirements:
- The number starts with either 00 or + followed by a country code and subscriber’s number. For example, +1 555-789-1314 or 00 1 5554567890.
- The number can have extensions. For example, the number +1 555 123-45-67 ext 890.
- Digits within the number can be separated by a space, hyphen, comma, period, plus and minus signs, slash (/), backward slash (\), asterisk (*), hash (#), and a tab character.
- The number can contain the following brackets: parentheses (), curly braces {}, square brackets [], and angle brackets <>. Only one set of brackets is allowed within the number. The opening bracket must be in the first half of the number. For example, the number +15551234(567) will be considered invalid.
The USA numbers may not start with 00 or + sign, if they comply with all other requirements and contain 11 digits. For example, the number 1-555-123-3245 will be considered valid.
This activity has the following settings:
- Authentication method. You can specify whether you want users to receive a call or an SMS with a one-time PIN code by selecting a corresponding option. You can also allow helpdesk operators to offer users to choose the authentication method by selecting the Allow users to choose between an automated voice call and SMS option.
- SMS template. Enter the text message that will contain a one-time PIN code and will be sent to users during phone authentication.
- telephoneNumber, homePhone, mobile and other attributes. Select one or several attributes of a user account from which telephone numbers will be used during phone-based authentication. You can also specify other attributes.
You can test the configured settings by clicking the Test settings button and entering the phone number to which a one-time PIN code will be sent.
Authenticate with Defender
You can use this activity to configure Password Manager to use Defender to authenticate users.
Defender is a two-factor authentication solution that authenticates users without forcing them to remember another new password. Defender uses one-time passwords (OTP) generated by special hardware or software tokens. Even if an attacker captures the password, there will be no security violation, since the password is valid only for one-time-use and can never be re-used.
You can use the Defender authentication to authenticate users before allowing them to reset or change their passwords, to unlock accounts, or manage Questions and Answers profiles.
Before configuring the settings in this activity, install and configure Defender as described in the Defender documentation.
|
IMPORTANT: To make Password Manager use the Defender authentication, you must install the Defender Client SDK on the server on which Password Manager Service is installed. |
This activity has the following settings:
- Defender Server: Specify the IP address of the computer running the Defender Server.
- Port number: Type the port number that the Defender Access Node uses to establish a connection with the Defender Server.
- Server timeout: Specify Defender Server timeout (in minutes).
- Defender shared secret: Provide the secret that the Defender Access Node will share when it attempts to establish a connection with the Defender Server.
Authenticate with Starling Two-Factor Authentication
Use this activity to configure Password Manager to use Starling Two-Factor Authentication to authenticate users.
You can use Starling Two-Factor Authentication to authenticate users before allowing them to reset or change their passwords, to unlock accounts, or manage Questions and Answers profiles.
Before using Starling Two-Factor Authentication for authentication, administrators have to configure it on One Identity Starling page of the Administration site. For more information, see One Identity Starling.
For authentication, you have to enter the Starling Two-Factor Authentication OTP that you have received through SMS, phone call, or from the Starling 2FA app, or accept the notification received in your phone. To use Starling 2FA app for push notification or to generate OTP, you must install Starling 2FA app on your device and register your phone number.
This activity requires authentication using one of the following options:
- OTP generated on Starling 2FA app. Open the Starling 2FA app, click the token, and copy the OTP. Enter the OTP in the Starling Two-Factor token response field.
- SMS. Click SMS. Enter the OTP received through SMS in the Starling Two-Factor token response field.
- Phone call. Click Phone Call. Enter the OTP received through phone call in the Starling-Two factor token response field.
- Push notification. Click Push Notification. Accept the notification received in your phone.
|
IMPORTANT: To authenticate with Starling Two-Factor Authentication, the user's email address and mobile number is mandatory. If the mobile number is not present in users active directory attribute, through the self-service site users can update the mobile number from the Manage My Profile page The email address should be present in users active directory attribute, if not, the email address must be configured by the administrator in the AD to authenticate successfully. |