How to set up two factor with SMS OTP

It is required that there is a claim to contains user's mobile phone number. For example: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone

OTP Connection settings

Order of factors: set value to Sms. You can also add more methods (Email or Authenticator - separated by comma) to let OTP fallback to them if error happens with the Sms method.
SMS claim type: set value to the claim type which contains user's mobile phone number. Ex: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
One Time Password lengthOne Time Password lifetimeMax input attempts: set values base on your security requirement.

OTPSMS1

SMS gateway settings

Identify uses SMS gateway to send out the SMS message. The SMS gateway settings are saved in field configuration. You can use either Unwire (a Danish SMS provider) or HTTPRequest as SMS gateway but it must be set as default to be used (please be noted that only one SMS gateway is set as default, otherwise the system will work incorrectly). There are pre-added field configurations for each kind of SMS gateways.

Configure Unwire as default SMS gateway

Edit the field configuration named UnwireSmsGatewayConfiguration. Following element's values are allowed to be edited:

  • Username: replace it with user given by Unwire provider.
  • Password: replace it with user given by Unwire provider.
  • SenderDisplayName: replace it with your sender name.
  • Default: must be set to true to activate this SMS gateway.

OTPSMS2

 

You can also add new configuration for Unwire SMS gateway by adding new field configuration, copy the Expression of the pre-added Unwire field configuration and modify it as your need.

Configure HTTPRequest as default SMS gateway

Edit the field configuration named HTTPRequestSmsGatewayConfiguration. Following element's values are allowed to be edited:

  • Url: SMS provider URL.
  • RequestUrlParameters: parameter and value to send to SMS provider, multi entries are allow:
    • sensitive: true to indicate that parameter and value will not be logged.
    • name: parameter name.
    • value: parameter value.
  • Default: must be set to true to active this SMS gateway.
  • ReplaceMobileNumberWithText: reformat the mobile number, e.g. remove some special char before used it as destination phone, multi entries are allow:

OTPSMS3

 

From version 5.5, we will also support sending SMS message using POST beside the original GET method, just change the value from GET to POST.

Untitled

You can also add new configuration for HTTPRequest SMS gateway by adding new field configuration, copy the Expression of the pre-added HTTPRequest field configuration and modify it as your need.

SMS template

OTP plugin uses the default SMS template named DefaultSMSOTPCodeTemplate to send the OTP code. It can be found in System Setup > Field configurations. However we have not supported it for HTTPRequest SMS gateway yet, use parameter instead.

Merge field

Two supported merge fields in the SMS gateway settings and template are:

  • SMSNUMBER: represented for user's phone number
  • SMSTEXT: represented for the OTP code generated by OTP plugin
  • SMSBODY: represented for the Message of "Default SMS OTP Code Template" (from version 5.6)