Phone number profiling service configuration guide

Note

This configuration guide applies only to Identity Platform realms created in the Classic Experience UI. It will not work for applications created in the New UI.

Use this guide to configure SecureAuth® Identity Platform phone profiling features to prevent bad actors from accessing a realm via compromised phone services or numbers. Block authentication attempts from specified phone sources, carriers (both domestic and international), or numbers that recently changed carriers.

When the end user attempts to use a phone number as a second authentication factor, an SMS/Text or Voice One Time Password (OTP) is dispatched only if the phone number is allowed based on information retrieved from the phone number profiling service. Phone number profiling is enabled on a per realm basis.

Note

The SecureAuth Identity Platform Detect license is required to use this feature.

Prerequisites

  • Identity Platform release 19.07 or later

  • A realm created in Classic Experience with the following tabs configured:

    • Overview – the description of the realm and SMTP connections must be defined

    • Data – a data store must be integrated with SecureAuth Identity Platform

    • Workflow – the way in which users will access the target must be defined

    • Multi-Factor Methods – the Multi-Factor Authentication methods that will be used to access the target (if any) must be defined

    • Post Authentication – the target resource or post authentication action must be defined

    • Logs – the logs that will be enabled or disabled for this realm must be defined

Note

If using the API with any configured phone number profiling service option, refer to the Authentication API guide and Phone Profiling Service authentication API guide for information on configuring endpoints.

Identity Platform configuration steps

  1. In the Classic Experience UI, go to the Data tab for the realm where you will enable phone number profiling.

  2. In the Profile Fields section, map the designated Field Attribute to an available Property that matches the attribute's requirement.

    The Field Attribute must meet the following requirements:

    • Directory String (syntax: 2.5.5.12)

    • Upper Range of at least 4096

    • Multi-valued (true)

    For example, map accountNameHistory to Aux ID 2.

    44833534.png

    Note

    This step is required if the Block phone numbers that recently changed carriers feature is enabled.

  3. Select the Writable check box.

  4. Click Save.

    Warning

    Click Save once the configuration is complete and before leaving the Data page to avoid losing changes.

  5. Go to the Multi-Factor Methods tab.

  6. In the Multi-Factor Configuration, Phone Settings section, set the following:

    Block phone numbers from the following sources

    Select the phone source(s) to be blocked from receiving SMS/Text or Voice OTPs.

    • Cellular Telephones – Mobile or wireless phone numbers

    • Landlines – Phone numbers of home or office wired lines

    • IP Phones – Virtual phone numbers, also known as DID or access numbers, without a directly associated phone line

    • Toll-free Numbers – Phone numbers with the following area codes: 800, 888, 877, 866, 855, or 844

    • Premium Rate Numbers – Phone numbers or phone calls in which certain services are provided and part of the charges are paid to the service provider

    • Pagers – Phone numbers of call devices that can only receive messages

    • Unknown – Phone number of an anonymous classification

    Block phone numbers that have recently changed carriers

    Select Enable to prevent newly ported phone numbers from receiving SMS/Text or Voice OTPs.

    Optional. Select Allow users to approve or delete a phone number that has recently changed carriers to let end users accept or remove a newly ported phone number from the multi-factor methods page during authentication.

    Store carrier information in

    Select the Property designated in Step 2 to store the carrier information in.

    If using the Authentication API, this is the property that stores the originalCarrier information.

    Block or allow phone numbers by carrier or country

    Select Enable block / allow list to deny or permit SMS/Text or Voice OTPs to be received by phone numbers from carriers or countries specified on the activated block and allow lists.

    44833535.png
  7. Click Save.

    Warning

    Click Save once the configuration is complete and before leaving the Multi-Factor Methods page to avoid losing changes.

  8. If enabling the Block or allow phone numbers by carrier or country feature, click Define list of blocked / allowed numbers and carriers to configure the block and allow lists.

  9. In the Block or Allow Countries / Carriers section, select the option to Block or Allow phone numbers from specified countries or carriers.

    Notice

    Based on the radio button selection, the heading toggles between Blocked Countries / Carriers and Allowed Countries / Carriers. Only one of these two options can be applied.

  10. Click Add country / carrier.

    44833546.png
  11. In the Find and select countries / carriers box, type in characters of the country or carrier name to block or allow.

    44833538.png
  12. Make the selection(s) from the list of countries and carriers that appears in the picker box.

    44833536.png
  13. Click Close after all selections are made.

  14. To remove a listed country, click the X next to the country name to remove the country and all carriers listed for that country.

    To remove a listed carrier, click the X next to the carrier name.

  15. Click Save.

    Warning

    Click Save once the configuration is complete and before leaving the Block or Allow Countries / Carriers page to avoid losing changes

End user experience

When logging into a SecureAuth Identity Platform realm with one or more blocked phone sources, if the end user account includes any of the blocked phone sources, the message "Some multi-factor methods are currently unavailable" appears and any affected phone number selection is disabled.

44833543.png

When logging into a SecureAuth Identity Platform realm that has the option to block ported phone numbers enabled, if the end user account includes a phone number that has recently been ported to another carrier, the message "Some multi-factor methods are currently unavailable" appears and the ported phone number selection is disabled.

44833541.png

If the option is enabled to let end users approve or delete phone numbers recently ported to another carrier, upon successfully completing the second authentication factor, the message "Your phone number [phone number] has recently changed carriers" appears with the following selections:

  • Approve carrier change for this number – selecting this option enables the phone number as a second authentication factor

  • Delete this number from my profile – selecting this option removes the phone number from the passcode delivery method page

  • Ignore this message for now – selecting this option shows the Approve / Delete / Ignore page on subsequent second factor login attempts until the option to delete the phone number from the profile is enabled

44833542.png

When logging on a SecureAuth Identity Platform realm that has enabled the option to block a defined list of countries or carriers, if the end user account includes one or more phone numbers from a blocked country, the message "Some multi-factor methods are currently unavailable" appears and any affected phone number selection is disabled.

When the option to allow a defined list of countries or carriers is enabled, if the end user account includes one or more phone numbers from a country or carrier not on the allowed list, the message "Some multi-factor methods are currently unavailable" appears and any affected phone number selection is disabled.

44833540.png