Create
WeChat External Credentials
A one time password (OTP) authenticator is a random series of characters that are sent to the mobile device number or email address of a user during authentication. If you are using WeChat or WhatsApp for OTP delivery, ensure that you have completed the prerequisites.
Before configuring the OTP policies, complete the following prerequisites:
● For OTP delivery by email, phone, or mobile, configure one of the following system attributes, as required:
– Mobile
– Phone
● For OTP delivery using the WeChat, complete the following:
– Create a custom user attribute to use WeChat for OTP delivery.
– Create a WeChat Admin portal if you do not already have one, and then obtain the following from your WeChat portal:
● App ID
● App Secret
● WeChat OTP Template ID
– Copy the Redirect URL from IDaaS to paste into your WeChat Admin portal
Create
WeChat External Credentials
● For OTP delivery using the WhatsApp, complete the following:
– Create a custom user attribute to use WhatsApp for OTP delivery.
– Create a WhatsApp admin portal if you do not already have one and then obtain the following from your WhatsApp portal:
● Message Access Token
● Account ID
● WhatsApp OTP Template ID
Create
WhatsApp External Credentials
Note: An Admin API can also be used to retrieve the OTP.
See Create and manage user attributes for more information on user attributes.
Modify OTP authenticator settings
1. Click
> Policies >
Authenticators. The Authenticators page
appears.
2. Select One Time Password. The One Time Password settings page appears.
3. From the OTP Type drop-down list, select one of the following:
● Random—creates a random OTP
● MemoPasscode™—creates an easier to remember OTP using a combination of letters and numbers
4. Enter the OTP Length. For example, if you enter 4, the OTP is always four characters in length.
5. In the OTP Alphabet field, enter the characters that can appear in the OTP. You can enter specific letters, numbers, and special characters. For example, if you set it to a3# then the OTP will always include those characters.
Note: Using VOICE over OTP with characters as the OTP values (instead of just numbers) is not easy for users to understand. Numeric characters only are recommended if using VOICE as the OTP delivery method.
6. Enter the OTP Lifetime for the amount of time in seconds a user can use an OTP to authenticate after it is generated.
7. Select the OTP Default Delivery Methods used to send the OTP to the user. If you select multiple delivery methods, drag and drop the method in order of preference.
Note: The default
is the system attribute. If you have defined alternate OTP delivery attributes
(see Create and manage user attributes),
you can select it as the OTP Default Delivery Contact Attribute over the
default system attribute.
IDaaS uses the default OTP delivery method, except as follows:
- If a user selects
a delivery type when authenticating, IDaaS uses the user's chosen delivery
method to send the OTP. Otherwise, IDaaS uses the default.
- If the user
selects their own default in their user profile, IDaaS uses the user's
chosen delivery method to send the OTP.
8. Select the Default OTP SMS Delivery Contact Attribute.
9. Select the Default OTP Email Delivery Contact Attribute.
10. Select the Default OTP Voice Delivery Contact Attribute.
11. Select Show OTP Delivery Contact to give users a choice for OTP delivery.
Example: If you selected a default attribute for the OTP Delivery Contact Attribute, the OTP is delivered to that attribute. If a user has both a default (system) Email attribute and an Alternate Email attribute, for example, the user can click Alternative Authentication on the second-factor log in screen and choose another OTP delivery contact.
When multiple OTP delivery options appear on the user login screen, the options display using the following masking rules:
● Email: The first three characters and the domain name are not masked. For example, support@entrust.com appears as sup***@entrust.com but abc@entrust.com remains abc@entrust.com because the first three characters are not masked.
● Phone number (voice and SMS): All but the last four digits are masked. For example, +12345678900 appears as ********8900
12. Optional: Select Enable Default OTP Delivery.
● When enabled, users must respond to the default OTP.
● When disabled, users must choose the OTP delivery method.
13. Optional: Select Include OTP Expiry Time to include the OTP expiry time in the SMS message.
14. If you see a warning message, select Confirm Changes.
15. Click Save to confirm the changes.