Configuring User Authentication for Password Resets
You can configure which authentication methods are available to different types of users when they reset their passwords or unlock their accounts. For example, you might want to have the full set of options for employees but a single option for contractors.
Notes
You might need to define temporary or permanent values for work and personal email addresses and phone numbers for your users.
To require users to always authenticate before resetting their passwords, select the option in your password policy configuration.
Enabling Two-Factor Authentication
- Enable at least two Password Reset and Unlock Method authentication options.
- If you enable verification codes sent to phone or email, ensure users have valid phone numbers and email addresses.
- If you enable security questions as a method, ensure users have questions and answers entered.
To enable two-factor authentication:
-
Go to Admin > Identity Management > Identity Profiles.
-
Select or create an identity profile.
-
In the Settings tab, select your Password Reset and User Unlock Settings:
-
Enable Two-Factor Authentication - Two-factor authentication requires users to complete two of the specified Password Reset and User Unlock Methods before they can reset their password.
-
Enable Phone Masking - Select this option to enable phone number masking when users are resetting their passwords.
-
Best Practice
SailPoint always recommends using both two-factor authentication and phone masking.
Two-Factor Authentication Rules for Password Resets
When multifactor authentication is enabled, set rules determine the order of password reset options shown to users as they go through the password reset process.
The default options for resetting passwords are:
-
By providing a verification phone call or code sent to an alternate or work phone number
-
By providing a verification code sent to an alternate or work email
-
By answering a security question. If only default options are selected and security question is one of them, the security question will be the first step and other default methods will be second.
MFA integrations
- If MFA integration methods like RSA, SafeNet, or Duo are available, they will be the second step and the default methods will be shown as the first step.
- MFA integration methods require additional configuration to be selectable in the identity profile.
Setting Password Reset and User Unlock Methods
You allow users to reset their passwords or unlock their accounts in numerous ways, such as using the default options like sending verifications to a phone and/or email, answering security questions, or by using a code sent by your organization's Helpdesk.
To configure your reset and unlock methods:
- Go to Admin > Identity Management > Identity Profiles.
- Select or create an identity profile.
-
In the Password Reset and Account Unlock Methods panel, select the checkboxes next to the methods you want to use.
- By providing a verification code sent to alternate phone
- By providing a verification code sent to work phone
- By providing a verification link sent to alternate email
- By providing a verification code sent to work email
- By answering a security question
- By providing a code sent by your Helpdesk
Note: Codes are valid for 10 minutes. Links are valid for 120 minutes.
Your options may differ depending on your configuration and integrations.
-
Select Save.
Helpdesk
The Helpdesk option enables your organization's Helpdesk personnel to provide a code over the phone to help users reset their passwords or unlock their accounts. You must:
- Enable the Helpdesk token in the tenant with the Password Configuration API.
- Generate the token for the specified user with the Generate Digit Token API.
Configuring User Prompts
If you configure multifactor authentication methods that use an alternate phone or email, or if you allow users to authenticate with security questions, your users will be prompted to enter that information when they register or the next time they sign in.
If you do not want users to be prompted to enter their alternate phone or email or to answer security questions, ensure the checkboxes to authenticate using those options are cleared in the password resets and unlock panel. Alternatively, if you aggregate an alternate phone number or email, users will not be prompted to enter that information.
Providing Codes by Phone
If you select By providing a verification code sent to alternate phone or work phone, users can choose whether this code is sent as a voice message or a text message.
Most country codes can receive voice or text messages. Review the list of currently supported country codes to verify that users' phones can work with this option.
International phone numbers must use the E.164 format. Be sure the Work Phone field in related identity profiles has the E.164 transform applied if you want users to have this option.
Creating Custom Instruction Text
You can add customized instructions to help your users reset their password, change their password, unlock their account, and recover their username. This is helpful if you want to emphasize certain policies or provide organization-specific directions. For example, you may want to clarify the username your organization uses for password resets.
Important
Any screens prior to or during multifactor authentication may be publicly available, so be careful about what company-specific information you include.
To create customized instructions:
- Use the Password Org Config API to set
customInstructionsEnabled
totrue
. - Once that is enabled, use the Custom Password Instructions APIs to create custom page content for the specific pageId you select.
For example, you could use the pageId forget-username:user-email
to set the custom text for when a user has forgotten their username and must enter their email. See the Custom Password Instructions API above for the full list of pageIds you can use, pageContent, and locale details.
Notes
The mfa:enter-code
pageId can also be used for the Helpdesk option.
We recommend that you avoid using territory-specific locales like en-GB or fr-CH in the API. See the list of supported languages.
Read more about using SailPoint APIs.
Troubleshooting Authentication Errors
If your user attempts to reset a password, they could experience a few issues.
Accessing From an Unauthorized Location
If you have restricted access to Identity Security Cloud, users who attempt to change their password from an off-network location may receive an error.
This is because users must authenticate when resetting their password. If a user attempts to authenticate while they are off network, they will be blocked from resetting their password.
Legal Restrictions on Text and Voice Messages
Users residing in a country that has legal restrictions on when text messages can be sent or who they can be sent by may not be able to receive text messages.
For example, regulations in China cause voice messages from Identity Security Cloud to fail. Regulations in India sometimes cause text messages related to Identity Security Cloud to fail.
Important
When defining the strong authentication options available to your users, be aware of any local restrictions that might prevent these messages from being sent.
For more information about Chinese voice message restrictions, see Calling Limitations to China – Twilio Support.
For more information about Indian text message restrictions see Limitations sending SMS messages to Indian mobile devices – Twilio Support.
Error Not Showing When Code is Not Received
If the user does not receive the expected code but sees no error messages, there are two possible issues:
- The phone number they are using has an incorrect country code in their Preferences. This can happen if the user edited their phone number while on an IP address other than their usual location. The user can edit the phone number from a better IP address or manually edit the code itself.
- The phone number they are using is an international number that is not using the E.164 format. Be sure that all phone fields in the related identity profiles have the E.164 transform applied if you want users to have this option.
Country Code is Not Supported
If the user receives a message that states "Account not authorized to call phone", this indicates the country code assigned to their phone number is not currently supported. See the full list of available country codes for text and voice messages. You can open a support ticket to add a code to the supported list.
Error When Signing In for the First Time
If the user receives a message that states, "This option is not available for your account. Please contact your administrator" when trying to sign in for the time, it may be an issue related to supported verification options.
Review their identity profile to ensure the Mappings page includes at least one work phone or work email address.
Alternatively, send the user an invitation and ask them to select Register in the email.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.