Powered by Algolia

    OTP over SMS or E-mail

    Authentication using One-Time Passwords (OTP) provides an extra level of security during the authentication process. OpenIAM supports:

    • OTP over SMS / E-mail.
    • TOTP using the OpenIAM authenticator.

    OpenIAM also provides the flexibility of defining which URLs need a higher level of security and which ones don't. This allows you to determine if you want, for example, to enable OTP-based authentication for an entire application like the web console or for a specific operation or application that has a higher level of sensitivity.

    Configuring an authentication provider

    The first step is to update the authentication provider using the following steps.

    • Go to web console > Access Control > Authentication providers.
    • Select the provider by searching in the Authentication Provider Search box. If you are using the default authentication provider, then select Default OpenIAM Auth Policy. You will see a screen like the one below.

    OTP auth provider

    From the screen above, enable the OTP delivery mechanisms that you want to support. The options are:

    • Supports SMS One-Time Password - Delivers the OTP over SMS.
    • Supports Email One-Time Password - Delivers the OTP over e-mail.

    Ensure that you have configured your SMTP Gateway and SMS Gateway.

    Configuring a URL pattern

    After configuring the authentication provider, selecting TOTP authentication, and choosing SMS or Email, the next step is to select URLs that will be protected with OTP. To select a URL, follow the steps below.

    1. Find the required Content provider, click Edit, and scroll down to the URL patterns section, as shown below. Click Edit.

    URL patterns

    • Click the + sign and add the TOTP authentication rule.

    Adding the rule

    • Click Save. The rule is added to Support authentication levels.
    1. Select the URL that needs to be protected. For example, if you need to protect the entire SelfService portal URL:
    • Find /selfservice/* in URL patterns and click Edit.
    • Scroll down to the Support authentication levels section.

    Support authentication levels

    1. Click Save on the Content provider page to finish the configuration. Now, whenever somebody tries to access the SelfService portal, they will be asked to log in using OTP.

    The SelfService portal is now protected by the TOTP authentication rule. If you want to protect another URL, repeat the steps for the URL you want to protect. Go to the required Content provider > URL patterns > select URL > add authentication rule.

    Inserting into pointed places

    1. Remove the Authentication Rule if list is not empty.

    If you need only one type of authentication, you can select a new authentication rule from the default values.

    1. If you need to use two or more authentication steps, you will need to create a new authentication rule with the required steps. For example:

    2-step authentication example

    Select a new authentication rule, as shown in the screenshot below.

    2-step authentication rule example 02

    2-step authentication rule example 02

    Click Save. The rule will be added to Support authentication levels.

    For more instructions about authentication rules, please consult this document.

    Previous
    Password-based authentication
    Next
    Social authentication