Configuring User Authentication for Password Resets
You can configure which authentication methods are available to different types of users when they reset their passwords or unlock their accounts. For example, you might want to have the full set of options for employees but a single option for contractors.
You might need to define temporary or permanent values for work and personal email addresses and phone numbers for your users.
Enabling Two-Factor Authentication
To use two-factor authentication for password reset and user unlocks:
- Enable at least two Password Reset and Unlock Method authentication options.
- If you enable verification codes sent to phone or email, ensure users have valid phone numbers and email addresses.
- If you enable knowledge-based answers (KBA) as a method, ensure users have questions and answers entered.
To enable two-factor authentication:
Go to Admin > Identities > Identity Profiles.
Select or create an identity profile.
In the Settings tab, select your Password Reset and User Unlock Settings:
Enable Two-Factor Authentication - Two-factor authentication requires users to complete two of the specified Password Reset and User Unlock Methods before they can reset their password.
Enable Phone Masking - Select this option to enable phone number masking when users are resetting their passwords.
SailPoint always recommends using both two-factor authentication and phone masking.
Two-Factor Authentication Rules for Password Resets
When multifactor authentication is enabled, set rules determine the order of password reset options shown to users as they go through the password reset process
The default options for resetting passwords are:
By providing a verification phone call or code sent to an alternate or work phone number
By providing a verification code sent to an alternate or work email
By answering a security question (KBA)
- If only default options are selected and KBA is one of them, KBA will be the first step and other default methods will be second.
- If MFA integration methods like RSA, SafeNet, or Duo are available, they will be the second step and the default methods will be shown as the first step.
MFA integration methods require additional configuration to be selectable in the identity profile. See Configuring Integrations.
Setting Password Reset and User Unlock Methods
You allow users to reset their passwords or unlock their accounts in numerous ways, such as using the default options like sending verifications to a phone and/or email, answering security questions, or by using a code sent by your organization's Helpdesk.
Password Reset and Account Unlock Methods
- By providing a verification code sent to alternate phone
- By providing a verification code sent to work phone
- By providing a verification link sent to alternate email
- By providing a verification code sent to work email
- By answering a security question
- By providing a code sent by your Helpdesk
Note: Codes are valid for 10 minutes. Links are valid for 120 minutes.
- Duo Web
- RSA SecurID
- Symantec VIP
- Okta Verify
- By authenticating with an external identity provider (limited to PingFederate users)
To configure your reset and unlock methods:
- Go to Admin > Identities > Identity Profiles.
- Select or create an identity profile.
In the Password Reset and Account Unlock Methods panel, select the checkboxes next to the methods you want to use.
Your options may differ depending on your IdentityNow configuration and integrations.
The Helpdesk option enables your organization's Helpdesk personnel to provide a code over the phone to help users reset their passwords or unlock their accounts. You must:
- Enable the Helpdesk token in the tenant with the Password Configuration API.
- Generate the token for the specified user with the Generate Digit Token API.
If you do not see the Helpdesk option, you will need to update the Password Manager. The update manages password resets and unlocks using the chosen methods in the password reset and user unlock settings, as opposed to strong authentication methods.
Configuring User Prompts
If you configure multifactor authentication methods that use an alternate phone or email, or if you allow users to authenticate with security questions, IdentityNow prompts users to enter that information when they register or the next time they sign in.
If you do not want users to be prompted to enter their alternate phone or email or to answer security questions, ensure the checkboxes to authenticate using those options are cleared in both the password resets and unlock panel and in the strong authentication methods panel. Alternatively, if you aggregate an alternate phone number or email, users will not be prompted to enter that information.
Providing Codes by Phone
If you select By providing a verification code sent to alternate phone or work phone, users can choose whether this code is sent as a voice message or a text message.
Most country codes can receive voice or text messages. Review the list of currently supported country codes to verify that users' phones can work with this option.
International phone numbers must use the E.164 format. Be sure the Work Phone field in related identity profiles has the E.164 transform applied if you want users to have this option.
Using External Authentication for Password Resets and Account Unlocks
If you are using IdentityNow as your service provider, you can choose to use an external IDP to perform MFA.
You must select the sign-in method and authentication source in the Identity Profile:
- Go to Admin > Identities > Identity Profiles.
- Under Sign-in Method, select Directory Connection.
- Select the Authentication Source that matches the source configured in your IDP. This feature only works if the identifying characteristics match in both the directory and IdentityNow.
- Under Password Reset and User Unlock Methods, select By authenticating with an external identity provider to allow multifactor authentication with the external identity provider you use. When you select this option, the other options will be disabled.
When enabled, if a user tries to reset their password or unlock their account, they will be directed to their external IDP to authenticate using passwordless MFA (such as receiving a push verification to the user’s phone). After the IDP verifies their identity, they are sent back to IdentityNow to reset their password or unlock their account.
Creating Custom Instruction Text
You can add customized instructions to help your users reset their password, change their password, unlock their account, and recover their username. This is helpful if you want to emphasize certain policies or provide organization-specific directions.
For example, you may want to clarify the username your organization uses for password resets.
Any screens prior to or during multifactor authentication may be publicly available, so be careful about what company-specific information you include.
To create customized instructions:
- Use the Password Org Config API to set
- Once that is enabled, use the Custom Password Instructions APIs to create custom page content for the specific pageId you select.
For example, you could use the pageId
forget-username:user-email to set the custom text for when a user has forgotten their username and must enter their email. See the Custom Password Instructions API above for the full list of pageIds you can use, pageContent, and locale details.
mfa:enter-code pageId can also be used for the Helpdesk option.
We recommend that you avoid using territory-specific locales like en-GB or fr-CH in the API. See the list of supported languages.
Read more about using SailPoint APIs.
Troubleshooting Authentication Errors
If your user attempts to use strong authentication or to reset a password, they could experience a few issues.
Legal Restrictions on Text and Voice Messages
Users residing in a country that has legal restrictions on when text messages can be sent or who they can be sent by may not be able to receive text messages.
For example, regulations in China cause voice messages related to IdentityNow to fail. Regulations in India sometimes cause text messages related to IdentityNow to fail.
When defining the strong authentication options available to your users, be aware of any local restrictions that might prevent these messages from being sent.
For more information about Chinese voice message restrictions, see Calling Limitations to China – Twilio Support.
For more information about Indian text message restrictions see Limitations sending SMS messages to Indian mobile devices – Twilio Support.
Error Not Showing When Code is Not Received
If the user does not receive the expected code but sees no error messages, there are two possible issues:
- The phone number they are using has an incorrect country code in their Preferences. This can happen if the user edited their phone number while on an IP address other than their usual location. The user can edit the phone number from a better IP address or manually edit the code itself.
- The phone number they are using is an international number that is not using the E.164 format. Be sure that all phone fields in the related identity profiles have the E.164 transform applied if you want users to have this option.
Country Code is Not Supported
If the user receives a message that states "Account not authorized to call phone", this indicates the country code assigned to their phone number is not currently supported. See the full list of available country codes for text and voice messages. You can open a support ticket to add a code to the supported list.
Error When Signing In for the First Time
If the user receives a message that states, "This option is not available for your account. Please contact your administrator" when trying to sign in for the time, it may be an issue related to supported verification options.
Review their identity profile to ensure that:
- The Mappings page includes at least a work phone or a work email address.
- The Strong Authentication Options panel includes a selected option that supports either, or both, of their work phones or emails.
Alternatively, send the user an invitation and ask them to select Register in the email. This allows them to define additional strong authentication methods, such as security questions, before they sign in.