Configuring User Authentication for Password Resets
You can configure which authentication methods are available to different types of users when they reset their passwords or unlock their accounts. Because different user populations might present different levels of risk to your organization, you can control their options based on the identity profile they belong to. For example, you might want to have the full set of options for employees but a single option for contractors.
You might need to define temporary or permanent values for work and personal email addresses and phone numbers for your users.
Enabling Two-Factor Authentication
To successfully use two-factor authentication for password reset and user unlocks, ensure you do the following:
- Enable at least two Password Reset and Unlock Method authentication options.
- If you enable verification codes sent to phone or email, ensure that users have valid phone numbers and email addresses.
- If you enable knowledge based answers (KBA) as a method, ensure that users have questions and answers entered.
To enable two-factor authentication:
Select Identities > Identity Profiles.
Select the profile you want to edit.
In the Password Reset and User Unlock settings, select from the following methods:
Enable Two-Factor Authentication - Two-factor authentication requires users to complete two of the specified Password Reset and User Unlock Methods before they can reset their password.
Enable Phone Masking - Select this option to enable phone number masking when users are resetting their passwords.
SailPoint always recommends using both two-factor authentication and phone masking.
Two-Factor Authentication Rules for Password Resets
When multi-factor authentication is enabled, set rules determine the order of password reset options shown to users as they go through the password reset process
The default options for resetting passwords are:
By providing a verification phone call or code sent to an alternate or work phone number
By providing a verification code sent to an alternate or work email
By answering a security question (KBA)
- If only default options are selected and KBA is one of them, KBA will be the first step and other default methods will be second.
- If MFA integration methods like RSA, SafeNet, or Duo are available, they will be the second step and the default methods will be shown as the first step.
MFA integration methods require additional configuration to be selectable in the identity profile. See Configuring Integrations.
Setting Password Reset and User Unlock Methods
In the Password Reset and User Unlock Methods panel in the Identity Profile, you can allow users to reset their passwords or unlock their accounts by using the default options like sending verifications to a phone and/or email, by answering security questions, by using external authentication that you’ve integrated with IdentityNow, or by using a code sent by your organization's Helpdesk. See the image below showing the full set of options available based on your configurations:
Codes are valid for 10 minutes.
The Helpdesk option enables your organization's Helpdesk personnel to provide a code over the phone to help users reset their passwords or unlock their accounts. To build a solution that meets your security requirements, contact your CSM for the API information and then work with SailPoint Professional Services to complete the setup.
If you do not see the Helpdesk option, you will need to opt into the updated Password Manager experience. This manages password resets and unlocks by using the chosen methods in the password reset and user unlock settings, as opposed to strong authentication methods.
Configuring User Prompts
If you configure multi-factor authentication methods that use an alternate phone or email, or if you allow users to authenticate with security questions, IdentityNow prompts users to enter that information when they register or the next time they sign in.
If you do not want users to be prompted to enter their alternate phone or email or to answer security questions, ensure the boxes to authenticate using those options are unchecked in both the password resets and unlock panel and in the strong authentication methods panel. Alternatively, if you aggregate an alternate phone number or email, users will not be prompted to enter that information.
Providing Codes by Phone
If you select By providing a verification code sent to alternate phone or work phone, users can choose whether this code is sent as a voice message or a text message.
Most country codes can receive voice or text messages. Review the list of currently supported country codes to verify that the users' phones can work with this option.
Using External Authentication for Password Resets and Account Unlocks
If you are using IdentityNow as your service provider, you can choose to use an external IDP to perform MFA.
You must select the sign-in method and authentication source in the Identity Profile:
- Go to Admin > Identities > Identity Profiles.
- Under Sign-in Method, select Directory Connection.
- Select the Authentication Source that matches the source configured in your IDP. This feature only works if the identifying characteristics match in both the directory and IdentityNow.
- Under Password Reset and User Unlock Methods, select By authenticating with an external identity provider to allow multi-factor authentication with the external identity provider you use. When you select this option, the other options will be disabled.
When enabled, if a user tries to reset their password or unlock their account, they will be directed to their external IDP to authenticate using passwordless MFA (such as receiving a push verification to the user’s phone). After the IDP verifies their identity, they are sent back to IdentityNow to reset their password or unlock their account.
Creating Custom Instruction Text
You can add customized instructions to help your users reset their password, change their password, unlock their account, and recover their username. This is helpful if you want to emphasize certain policies or provide organization-specific directions.
For example, you may want to clarify the username your organization uses for password resets.
Any screens prior to or during multi-factor authentication may be publicly available, so be careful about what company-specific information you include.
To create customized instructions:
- Use the Password Org Config API to set
- Once that is enabled, use the Custom Password Instructions APIs to create custom page content for the specific pageId you select.
For example, you could use the pageId
forget-username:user-email to set the custom text for when a user has forgotten their username and must enter their email. See the Custom Password Instructions API above for the full list of pageIds you can use, pageContent, and locale details.
mfa:enter-code pageId can also be used for the Helpdesk option.
We recommend that you avoid using territory-specific locales like en-GB or fr-CH in the API. See the list of supported languages.
Read more about using SailPoint APIs.
Troubleshooting Authentication Errors
If your user attempts to use strong authentication or to reset a password, they could experience a few issues.
Legal Restrictions on Text and Voice Messages
Users residing in a country that has legal restrictions on when text messages can be sent or who they can be sent by may not be able to receive text messages.
For example, regulations in China cause voice messages related to IdentityNow to fail. Regulations in India sometimes cause text messages related to IdentityNow to fail.
When defining the strong authentication options available to your users, be aware of any local restrictions that might prevent these messages from being sent.
For more information about Chinese voice message restrictions, see Calling Limitations to China – Twilio Support.
For more information about Indian text message restrictions see Limitations sending SMS messages to Indian mobile devices – Twilio Support.
Error Not Showing When Code is Not Received
If the user does not receive the expected code but sees no error messages, there are two possible issues:
- The phone number they are using has an incorrect country code in their Preferences. This can happen if the user edited their phone number while on an IP address other than their usual location. The user can edit the phone number from a better IP address or manually edit the code itself.
- The phone number they are using is an international number that is not using the E.164 format. Be sure that all phone fields in the related identity profiles have the E.164 transform applied if you want users to have this option.
Country Code is Not Supported
If the user sees a message that reads "Account not authorized to call phone", this indicates that the country code assigned to their phone number is not currently supported. See the full list of available country codes for text and voice messages. You can open a support ticket to add a code to the supported list.
Error When Signing In for the First Time
If the user sees the message, "This option is not available for your account. Please contact your administrator" when trying to sign in for the time, it may be an issue related to supported verification options.
Review their identity profile to ensure that:
- The Mappings page includes at least a work phone or a work email address.
- The Strong Authentication Options panel includes a selected option that supports either, or both, of their work phones or emails.
Alternatively, send the user an invitation and ask them to select Register in the email. This allows them to define additional strong authentication methods, such as security questions, before they sign in.