Phone number profiling service configuration guide
Use this guide to configure SecureAuth® Identity Platform phone profiling features to prevent bad actors from accessing an application via compromised phone services or numbers. Block authentication attempts from specified phone sources, carriers (both domestic and international), or numbers that recently changed carriers.
When the end user attempts to use a phone number as a second authentication factor, an SMS/Text or Voice One Time Password (OTP) is dispatched only if the phone number is allowed based on information retrieved from the phone number profiling service. Phone number profiling is enabled on a per application basis.
Note
The SecureAuth Identity Platform Detect license is required to use this feature.
Prerequisites
Identity Platform release 19.07 or later
An existing configured application in the Identity Platform
Note
If you are using the API with any configured phone number profiling service option, refer to the Authentication API guide and Phone Profiling Service authentication API guide for information on configuring endpoints.
Identity Platform configuration steps
In the Identity Platform, go to Advanced Settings for the application where you want to configure phone profiling.
Select the Multi-Factor Methods tab.
In the Multi-Factor Configuration, Phone Settings section, set the following:
Block phone numbers from the following sources
Select the phone source(s) to be blocked from receiving SMS/Text or Voice OTPs.
Cellular Telephones – Mobile or wireless phone numbers
Landlines – Phone numbers of home or office wired lines
IP Phones – Virtual phone numbers, also known as DID or access numbers, without a directly associated phone line
Toll-free Numbers – Phone numbers with the following area codes: 800, 888, 877, 866, 855, or 844
Premium Rate Numbers – Phone numbers or phone calls in which certain services are provided and part of the charges are paid to the service provider
Pagers – Phone numbers of call devices that can only receive messages
Unknown – Phone number of an anonymous classification
Block phone numbers that have recently changed carriers
Select Enable to prevent newly ported phone numbers from receiving SMS/Text or Voice OTPs.
Optional. Select Allow users to approve or delete a phone number that has recently changed carriers to let end users accept or remove a newly ported phone number from the multi-factor methods page during authentication.
Store carrier information in
This is the mapped data store property to store the carrier information in.
If using the Authentication API, this is the property that stores the originalCarrier information.
Block or allow phone numbers by carrier or country
Select Enable block / allow list to deny or permit SMS/Text or Voice OTPs to be received by phone numbers from carriers or countries specified on the activated block and allow lists.
Save your changes.
If enabling the Block or allow phone numbers by carrier or country feature, click Define list of blocked / allowed numbers and carriers to configure the block and allow lists.
In the Block or Allow Countries / Carriers section, select the option to Block or Allow phone numbers from specified countries or carriers.
Notice
Based on the radio button selection, the heading toggles between Blocked Countries / Carriers and Allowed Countries / Carriers. Only one of these two options can be applied.
Click Add country / carrier.
In the Find and select countries / carriers box, type in characters of the country or carrier name to block or allow.
Make the selection(s) from the list of countries and carriers that appears in the picker box.
Click Close after all selections are made.
To remove a listed country, click the X next to the country name to remove the country and all carriers listed for that country.
To remove a listed carrier, click the X next to the carrier name.
Save your changes.
End user experience
When logging into a SecureAuth Identity Platform application with any of the following scenarios, the message "Some multi-factor methods are currently unavailable" appears and it will disable the affected selection.
When the application has one or more blocked phone sources, and the end user account includes any of these blocked sources.
When the application has enabled the option to block ported phone numbers, and the end user account includes a number that was recently ported to another carrier.
When the application has enabled the option to block a defined list of countries or carriers, and the end user account includes one or more phone numbers from a blocked country.
When the application has enabled the option to allow a defined list of countries or carriers, and the end user account includes one or more phone numbers from a country or carrier not on the allowed list.
If the application enables end users to approve or delete phone numbers recently ported to another carrier, upon successfully completing the second authentication factor, the message "Your phone number [phone number] has recently changed carriers" appears with the following selections:
Approve carrier change for this number – selecting this option enables the phone number as a second authentication factor
Delete this number from my profile – selecting this option removes the phone number from the passcode delivery method page
Ignore this message for now – selecting this option shows the Approve / Delete / Ignore page on subsequent second factor login attempts until the option to delete the phone number from the profile is enabled