Configuring User Authentication for Password Resets

You can configure which authentication methods are available to different types of users when they reset their passwords or unlock their accounts. For example, you might want to have the full set of options for employees but a single option for contractors.

Notes

You might need to define temporary or permanent values for work and personal email addresses and phone numbers for your users.

To require users to always authenticate before resetting their passwords, select the option in your password policy configuration.

Enabling Two-Factor Authentication

• Enable at least two Password Reset and Unlock Method authentication options.
• If you enable verification codes sent to phone or email, ensure users have valid phone numbers and email addresses.
• If you enable security questions as a method, ensure users have questions and answers entered.

To enable two-factor authentication:

1. Go to Admin > Identity Management > Identity Profiles.

2. Select or create an identity profile.

3. In the Settings tab, select your Password Reset and User Unlock Settings:

   • Enable Two-Factor Authentication - Two-factor authentication requires users to complete two of the specified Password Reset and User Unlock Methods before they can reset their password.

   • Enable Phone Masking - Select this option to enable phone number masking when users are resetting their passwords.

Best Practice

SailPoint always recommends using both two-factor authentication and phone masking.

Two-Factor Authentication Rules for Password Resets

When multifactor authentication is enabled, set rules determine the order of password reset options shown to users as they go through the password reset process.

The default options for resetting passwords are:

• By providing a verification phone call or code sent to an alternate or work phone number

• By providing a verification code sent to an alternate or work email

• By answering a security question. If only default options are selected and security question is one of them, the security question will be the first step and other default methods will be second.

MFA integrations

• If MFA integration methods like RSA, SafeNet, or Duo are available, they will be the second step and the default methods will be shown as the first step.
• MFA integration methods require additional configuration to be selectable in the identity profile.

Setting Password Reset and User Unlock Methods

You allow users to reset their passwords or unlock their accounts in numerous ways, such as using the default options like sending verifications to a phone and/or email, answering security questions, or by using a code sent by your organization's Helpdesk.

To configure your reset and unlock methods:

1. Go to Admin > Identity Management > Identity Profiles.
2. Select or create an identity profile.

3. In the Password Reset and Account Unlock Methods panel, select the checkboxes next to the methods you want to use.

   SailPoint MethodsExternal Methods

   • By providing a verification code sent to alternate phone
   • By providing a verification code sent to work phone
   • By providing a verification link sent to alternate email
   • By providing a verification code sent to work email
   • By answering a security question
   • By providing a code sent by your Helpdesk

   Note: Codes are valid for 10 minutes. Links are valid for 120 minutes.

   • Duo Web
   • RSA SecurID
   • Symantec VIP
   • Okta Verify
   • By authenticating with an external identity provider (limited to PingFederate users)

   Your options may differ depending on your IdentityNow configuration and integrations.

4. Select Save.

Helpdesk

The Helpdesk option enables your organization's Helpdesk personnel to provide a code over the phone to help users reset their passwords or unlock their accounts. You must:

1. Enable the Helpdesk token in the tenant with the Password Configuration API.
2. Generate the token for the specified user with the Generate Digit Token API.

Configuring User Prompts

If you configure multifactor authentication methods that use an alternate phone or email, or if you allow users to authenticate with security questions, IdentityNow prompts users to enter that information when they register or the next time they sign in.

If you do not want users to be prompted to enter their alternate phone or email or to answer security questions, ensure the checkboxes to authenticate using those options are cleared in the password resets and unlock panel. Alternatively, if you aggregate an alternate phone number or email, users will not be prompted to enter that information.

Providing Codes by Phone

If you select By providing a verification code sent to alternate phone or work phone, users can choose whether this code is sent as a voice message or a text message.

Most country codes can receive voice or text messages. Review the list of currently supported country codes to verify that users' phones can work with this option.

International phone numbers must use the E.164 format. Be sure the Work Phone field in related identity profiles has the E.164 transform applied if you want users to have this option.

Using External Authentication for Password Resets and Account Unlocks

If you are using IdentityNow as your service provider, you can choose to use an external IDP to perform MFA.

You must select the sign-in method and authentication source in the Identity Profile:

1. Go to Admin > Identity Management > Identity Profiles.
2. Under Sign-in Method, select Directory Connection.
3. Select the Authentication Source that matches the source configured in your IDP. This feature only works if the identifying characteristics match in both the directory and IdentityNow.
4. Under Password Reset and User Unlock Methods, select By authenticating with an external identity provider to allow multifactor authentication with the external identity provider you use. When you select this option, the other options will be disabled.

When enabled, if a user tries to reset their password or unlock their account, they will be directed to their external IDP to authenticate using passwordless MFA (such as receiving a push verification to the user’s phone). After the IDP verifies their identity, they are sent back to IdentityNow to reset their password or unlock their account.

Creating Custom Instruction Text

You can add customized instructions to help your users reset their password, change their password, unlock their account, and recover their username. This is helpful if you want to emphasize certain policies or provide organization-specific directions.

For example, you may want to clarify the username your organization uses for password resets.

Important

Any screens prior to or during multifactor authentication may be publicly available, so be careful about what company-specific information you include.

To create customized instructions:

1. Use the Password Org Config API to set customInstructionsEnabled to true.
2. Once that is enabled, use the Custom Password Instructions APIs to create custom page content for the specific pageId you select.

For example, you could use the pageId forget-username:user-email to set the custom text for when a user has forgotten their username and must enter their email. See the Custom Password Instructions API above for the full list of pageIds you can use, pageContent, and locale details.

Notes

The mfa:enter-code pageId can also be used for the Helpdesk option.

We recommend that you avoid using territory-specific locales like en-GB or fr-CH in the API. See the list of supported languages.

Read more about using SailPoint APIs.

Troubleshooting Authentication Errors

If your user attempts to reset a password, they could experience a few issues.

Accessing From an Unauthorized Location

If you have restricted access to IdentityNow, users who attempt to change their password from an off-network location may receive an error.

This is because users must authenticate when resetting their password. If a user attempts to authenticate while they are off network, they will be blocked from resetting their password.

Legal Restrictions on Text and Voice Messages

Users residing in a country that has legal restrictions on when text messages can be sent or who they can be sent by may not be able to receive text messages.

For example, regulations in China cause voice messages related to IdentityNow to fail. Regulations in India sometimes cause text messages related to IdentityNow to fail.

Important

When defining the strong authentication options available to your users, be aware of any local restrictions that might prevent these messages from being sent.

For more information about Chinese voice message restrictions, see Calling Limitations to China – Twilio Support.

For more information about Indian text message restrictions see Limitations sending SMS messages to Indian mobile devices – Twilio Support.

Error Not Showing When Code is Not Received

If the user does not receive the expected code but sees no error messages, there are two possible issues:

1. The phone number they are using has an incorrect country code in their Preferences​. This can happen if the user edited their phone number while on an IP address other than their usual location. The user can edit the phone number from a better IP address or manually edit the code itself.
2. The phone number they are using is an international number that is not using the E.164 format. Be sure that all phone fields in the related identity profiles have the E.164 transform applied if you want users to have this option.

Country Code is Not Supported

If the user receives a message that states "Account not authorized to call phone", this indicates the country code assigned to their phone number is not currently supported. See the full list of available country codes for text and voice messages. You can open a support ticket to add a code to the supported list.

Error When Signing In for the First Time

If the user receives a message that states, "This option is not available for your account. Please contact your administrator" when trying to sign in for the time, it may be an issue related to supported verification options.

Review their identity profile to ensure the Mappings page includes at least one work phone or work email address.

Alternatively, send the user an invitation and ask them to select Register in the email.