Documentation

Introduction

Use this guide to configure SecureAuth IdP to block specified phone sources, allow or block phone carriers / countries, and identify phone numbers that recently changed carriers in order to prevent bad actors from using specified phone classes / numbers.

When the end-user attempts to use a phone number as a second authentication factor, an SMS OTP / Voice OTP is dispatched only if the phone number is allowed based on information retrieved from the phone number profiling service.

NOTE: The SecureAuth IdP Detect license is required to use this feature

Prerequisites

1. Ensure SecureAuth IdP is running v9.1 or later

2. Create a New Realm or access an existing realm in which phone number profiling service will be utilized in the SecureAuth IdP Web Admin

3. Configure the following tabs in the Web Admin in addition to configuring the phone number profiling service

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow – the way in which users will access the target must be defined
  • Multi-Factor Methods – the Multi-Factor Authentication methods that will be used to access the target (if any) must be defined
  • Post Authentication – the target resource or post authentication action must be defined
  • Logs – the logs that will be enabled or disabled for this realm must be defined

Refer to the Authentication API Guide and Phone Profiling Service Authentication API Guide for information on configuring endpoints, if using the API with any configured phone number profiling service option

SecureAuth IdP Configuration Steps

Data


1. This step is required if the feature to Block Phone Numbers that Recently Changed Carriers is used

Map the Aux ID 2 Profile Property to a directory field that meets these requirements

    • Directory String (syntax: 2.5.5.12)
    • Upper Range of at least 4096
    • Multi-valued (true)

Set the Property to be Writable

NOTE: For example, accountNameHistory can be selected, if not already used

Click Save once the configuration is complete and before leaving the Data page to avoid losing changes

Multi-Factor Methods


2. Configure the Phone Number Blocking frame on the Multi-Factor Configuration section for the specified option(s)

The phone number blocking configuration only applies to this realm

Block Phone Numbers from the Following Sources


3. In Block phone numbers from the following sources, select the phone source(s) to be blocked from receiving Voice OTPs or SMS / Text OTPs

  • Cellular Telephones – Mobile / wireless phone numbers
  • Landlines – Phone numbers of home / office wired lines
  • IP Phones – Virtual phone numbers, also known as DID or access numbers, without a directly associated phone line
  • Toll-free Numbers – Phone numbers with the following area codes: 800, 888, 877, 866, 855 or 844
  • Premium Rate Numbers – Phone numbers or phone calls in which certain services are provided and part of the charges are paid to the service provider
  • Pagers – Phone numbers of call devices that can only receive messages
  • Unknown – Phone number of an anonymous classification

See End-user Experience for configuration results

Block Phone Numbers that Recently Changed Carriers


4. Enable the Block phone numbers that have recently changed carriers feature to prevent newly ported phone numbers from receiving Voice OTPs or SMS / Text OTPs

5. (OPTIONAL) If the feature in step 4 is enabled, selecting the option to Allow users to approve or delete a phone number that has recently changed carriers lets end-users accept or remove a newly ported phone number from the multi-factor methods page during authentication

6. Specify the Property in which to Store carrier information in by making a selection from the dropdown – e.g. Aux ID 2

Select the Property mapped to the data store, defined in step 1

If using the Authentication API, this is the Property that stores the originalCarrier information

See End-user Experience for configuration results

Click Save once the configuration is complete and before leaving the Multi-Factor Methods page to avoid losing changes

Block or Allow Phone Numbers by Carrier / Country


7. In Block or allow phone numbers by carrier or country, select Enable block / allow list to deny / permit Voice OTPs or SMS / Text OTPs to be received by phone numbers from carriers / countries specified on the activated block and allow lists

8. Click Define list of blocked / allowed numbers and carriers to configure the block and allow lists. 

Block or Allow Countries / Carriers


9. On the Block or Allow Countries / Carriers page, indicate whether to Block or Allow numbers of specified countries or carriers

Based on the radio button selection, the heading toggles between Blocked Countries / Carriers and Allowed Countries / Carriers – only one of these two options can be applied

10. Click Add country / carrier

Block or Allow Countries / Carriers


11. In the Find and select countries / carriers box, type in characters of the country / carrier name to block / allow

A filtered list of items appears based on the input – items are organized by country name and carrier names within the country

12. Make the selection(s) from the list of countries and carriers that appears on the picker box below

A selection can be removed from the list by unchecking the box

13. Click Close after all selections are made


14. The list appears with the following information

The name of the latest added country appears at the top of the list – each added carrier name appears as a separate "blue" entry

The name of the latest added carrier in a listed country appears as a new "blue" entry at the end of the country's list

To remove a listed country

Click the X to the right of the country name to remove the country and all carriers listed for that country

To remove a listed carrier

Click the X at the end of the carrier name to remove the selected carrier

See End-user Experience for configuration results

Click Save once the configuration is complete and before leaving the Block or Allow Countries / Carriers page to avoid losing changes

Results of Block or Allow Countries / Carriers after Save


Once saved, the name of each added carrier selection appears "gray" for the given country

NOTE: Countries / carriers can be removed from the list, and the list re-saved

After clicking Save, click Back to return to the Multi-Factor Methods page

End-user Experience

Block Phone Numbers from the Following Sources


1. When logging onto a SecureAuth IdP realm in which one or more phone sources are blocked, if the end-user account includes any of the blocked phone sources, the message "Some multi-factor methods are currently unavailable" appears at the top of the passcode delivery method page and any affected phone number selection is disabled

2. Select an available passcode delivery option and click Submit to go through the selected Multi-Factor Authentication workflow and access the realm

Block Phone Numbers that Recently Changed Carriers


1. When logging onto a SecureAuth IdP realm that has the option to block ported phone numbers enabled, if the end-user account includes a phone number that has recently been ported to another carrier, the message "Some multi-factor methods are currently unavailable" appears at the top of the passcode delivery method page and the ported phone number selection is disabled

2. Select an available passcode delivery option and click Submit to go through the selected Multi-Factor Authentication workflow


3. If the option is enabled to let end-users approve or delete their phone numbers recently ported to another carrier, upon successfully completing the second authentication factor, the message "Your phone number [phone number] has recently changed carriers" appears at the top of the page with the following selections below

  • Approve carrier change for this number – selecting this option enables the phone number as a second authentication factor
  • Delete this number from my profile – selecting this option removes the phone number from the passcode delivery method page
  • Ignore this message for now – selecting this option shows the Approve / Delete / Ignore page on subsequent second factor login attempts until the option to delete the phone number from the profile is enabled

4. After making a selection, click Submit to access the realm

Block or Allow Phone Numbers by Carrier / Country


1. When logging on a SecureAuth IdP realm that has enabled the option to block a defined list of countries / carriers, if the end-user account includes one or more phone numbers from a country / carrier on the block list, the message "Some multi-factor methods are currently unavailable" appears at the top of the passcode delivery method page and any affected phone number selection is disabled

When logging on a SecureAuth IdP realm that has enabled the option to allow a defined list of countries / carriers, if the end-user account includes one or more phone numbers from a country / carrier not on the allowed list, the message "Some multi-factor methods are currently unavailable" appears at the top of the passcode delivery method page and any affected phone number selection is disabled

2. Select an available passcode delivery option and click Submit to go through the selected Multi-Factor Authentication workflow and access the realm

  • No labels