PhoneFactor Authentication
ManageEngine and PhoneFactor has partnered to provide you with seamless integration with PhoneFactor's authentication services. PhoneFactor is a leading global provider of phone-based Two-Factor Authentication. This enables access to the user with simple and effective Two-Factor security for Access Manager Plus.
During the login process, PhoneFactor places a confirmation call to the registered number. You would have to answer the call and enter the PIN you have set or press #. The call is placed only after completing the initial authentication. To know more about the other authentication methods, click here.
Summary of Steps
- How does PhoneFactor Work with Access Manager Plus?
- Sequence of Events
- Enabling PhoneFactor Authentication
3.1 Prerequisite
3.2 Setting up Two-Factor Authentication in Access Manager Plus
3.3 Deciding the type of PhoneFactor Authentication
- Connecting to Access Manager Plus Web Interface when TFA through PhoneFactor is Enabled
- Workflow
1. How does PhoneFactor Work with Access Manager Plus?
You will be specifying the phone numbers for your users, which results in a mapping between the users and the corresponding phone numbers. In PhoneFactor agent mode, the details about the user, including the phone numbers are maintained at the agent. In Direct SDK mode, the phone numbers are maintained in Access Manager Plus database itself. When a user tries to login to Access Manager Plus, PhoneFactor finds out the phone number of the respective user and triggers a call.
2. Sequence of Events
- A user tries to access Access Manager Plus web-interface.
- Access Manager Plus authenticates the user through Active Directory or LDAP or locally.
- Now, Access Manager Plus prompts for the second factor credential through PhoneFactor.
- PhoneFactor calls you. Answer the call and press # (or enter a PIN).
- Access Manager Plus grants the user access to the web-interface.
3. Enabling PhoneFactor Authentication
3.1 Prerequisite
Prior to enabling PhoneFactor authentication, you need to buy PhoneFactor. After getting PhoneFactor, you need to decide about the specific authentication method - whether you want to install PhoneFactor agent in your environment or deploy PhoneFactor Direct SDK.
3.2 Setting up Two-Factor Authentication in Access Manager Plus
- Navigate to Admin >> Authentication >> Two-Factor Authentication.
- Select PhoneFactor and enter the required details.
- Click Save.
Note: Before proceeding further, ensure that you have entered the phone numbers for all the users for whom you wish to enable Two-Factor Authentication through PhoneFactor in Access Manager Plus. You can enter a landline number or a mobile number as the primary contact number for PhoneFactor authentication.
3.3 Deciding the type of PhoneFactor Authentication
You can choose to deploy PhoneFactor Agent or PhoneFactor Direct SDK.
Note: Among the choices above, PhoneFactor agent supports entering a PIN for authentication while answering the phone call from PhoneFactor. In Direct SDK mode, users will just be prompted to enter the # key and not a PIN.
3.3.1 Configurations in PhoneFactor Authentication
The PhoneFactor agent runs on a Windows server within your network. It includes a configuration wizard that guides you through the setup process for securing Access Manager Plus with PhoneFactor. The PhoneFactor agent can also integrate with your existing Active Directory or LDAP server for centralized user provisioning and management. All user data is stored within the corporate network for additional security. Extensive logging is available for reporting and auditing.
Obtain and install the PhoneFactor Agent and Web Services SDK on a Windows server within your network. The wizard will guide you through the installation process.
1. Configurations in PhoneFactor
Note: If you have already installed PhoneFactor agent, skip this step and directly proceed to Step 2.
- Since the phone numbers of the users are maintained in the PhoneFactor agent, after installing it, you need to add all the Access Manager Plus users (for whom Two-Factor Authentication through PhoneFactor has been enabled in AMP) in the agent and enter their phone numbers too. You can also integrate Active Directory / LDAP with PhoneFactor agent and automatically import users. If you have users authenticated through Access Manager Plus's local authentication, add them to PhoneFactor manually providing details about the phone number.
- While adding users in the PhoneFactor agent, take care to provide the same username as available in Access Manager Plus (In Access Manager Plus, you would have provided a 'PhoneFactor username' for the users who will be authenticated by PhoneFactor. Take care to enter the same username here in PhoneFactor agent configuration).
- After importing users, check if the phone numbers have been entered in the correct format.
Note: User information and their phone numbers are maintained in PhoneFactor agent. That means, users will receive the call only at the phone numbers specified in the agent. Whenever you want to modify the phone number, you need to carry out the change at the agent. Similarly, whenever you add new users to Access Manager Plus and if TFA through PhoneFactor is enabled for them, you need to add the user in PhoneFactor agent too. Otherwise, TFA through PhoneFactor will not work.
2. Configurations in Access Manager Plus
- In the Two-Factor Authentication GUI in Access Manager Plus, select the Authentication Method as PhoneFactor Agent.
- Enter the credentials to access the PhoneFactor. You need to enter the user name, password and the URL of the host where the PhoneFactor agent is running.
- Communication between Access Manager Plus and the host where the PhoneFactor agent is running takes place through SSL. So, you need to import (into Access Manager Plus) the SSL certificate, which you specified while installing the Web Services SDK.
While installing the PhoneFactor agent/ Web Services SDK, you would have either created a self-signed SSL certificate or you would have used an already available internal certificate (your own certificate). Here, in Access Manager Plus, you need import the root of the CA. If you are using a certificate signed by third-party CA, you may skip this step.
To import the root of the CA:
- Navigate to AMP_Installation_Folder>/bin directory
- Execute importPhoneFactorCert.bat (in Windows) or importPhoneFactorCert.sh (in Linux) as follows:
- Restart the Access Manager Plus server.
- Once you execute the above, the root of the CA will be recorded in Access Manager Plus and all the certificates signed by the particular CA will henceforth be automatically taken.
- Proceed to Step 3.4 - Enforcing Two-Factor Authentication for required users in Access Manager Plus.
(In Windows)
In the case of Self-signed certificates
importPhoneFactorCert.bat <absolute path of the Self-signed certificate>
In the case of your own certificates or already available internal CAs
importPhoneFactorCert.bat <absolute path of the root of the CA>
(In Linux)
In the case of Self-signed certificates
sh importPhoneFactorCert.sh <absolute path of the Self-signed certificate>
In the case of your own certificates or already available internal CAs
sh importPhoneFactorCert.sh <absolute path of the root of the CA>
Note: If your enterprise network setup requires connecting to the internet via a proxy server, you need to configure the proxy settings to enable Access Manager Plus connect to PhoneFactor website. (AMP GUI >> Admin >> Server Settings >> Proxy Server)
3.3.2 Configurations in PhoneFactor Direct SDK
Instead of using the Agent, you can also use PhoneFactor Direct SDK, which can be used to integrate with Access Manager Plus and it leverages Access Manager Plus's existing user database.
1. Configurations in SDK
PhoneFactor jars have been bundled with Access Manager Plus. So, it is enough if you buy PhoneFactor and supply the license details as explained in Step 2 below.
2. Configurations in Access Manager Plus GUI
- Check the Access Manager Plus users and ensure that you have entered phone numbers for all the users for whom you wish to enable Two-Factor Authentication through PhoneFactor in Access Manager Plus. The phone numbers should be entered in proper format. In sharp contrast to PhoneFactor agent where the phone numbers of the users are recorded and maintained at the agent, in the case of Direct SDK, phone numbers are maintained at Access Manager Plus itself.
- In PhoneFactor GUI, you need to specify the path of PhoneFactor license file, PhoneFactor Certificate and Private Key password. (These files will be present under the PhoneFactor SDK folder).
- Proceed to Step 3.4 - Enforcing Two-Factor Authentication for required users in Access Manager Plus.
Note: If your enterprise network setup requires connecting to the internet via a proxy server, you need to configure the proxy settings to enable Access Manager Plus connect to PhoneFactor website. (AMP GUI >> Admin >> Server Settings >> Proxy Server)
3.4 Enforcing Two-Factor Authentication for the Required Users
- Once you confirm the PhoneFactor as the second factor of authentication in the previous step, a new window will prompt you to select the users for whom Two-Factor Authentication should be enforced.
- You can enable or disable Two-Factor Authentication for a single user or multiple users in bulk from here. To enable Two-Factor Authentication for a single user, click on the Enable button beside their respective username. For multiple users, select the required usernames and click on Enable at the top of the user list. Similarly, you can also Disable Two-Factor Authentication from here.
- You can also select the users later by navigating to Users >> More Actions >> Two-Factor Authentication.
4. Connecting to Access Manager Plus Web Interface when TFA through PhoneFactor is Enabled
- The users for whom Two-Factor Authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through Access Manager Plus's local authentication or AD/LDAP authentication.
- When TFA is enabled, the login screen will ask for the username alone in the first UI. The users will be prompted to enter the passwords only in the second step.
5. Workflow (TFA using PhoneFactor)
If the administrator has chosen TFA through PhoneFactor, the Two-Factor Authentication will happen as detailed below:
- Upon launching the Access Manager Plus web-interface, the user has to enter the Username to login to Access Manager Plus and click Login.
- The user has to enter the local authentication or AD/LDAP Password as applicable.
- Once the authentication through the first factor is successful, you need to await a call to your phone from the PhoneFactor.
- Answer the call and press # key or enter the PIN as instructed. PhoneFactor will take care of authentication.