PhoneFactor Authentication

(Feature Available only in Premium Edition)

Overview

ManageEngine has partnered with PhoneFactor, the leading global provider of phone-based two-factor authentication, to enable simple, effective two-factor security for Password Manager Pro. ManageEngine is a PhoneFactor Alliance Partner and offers seamless integration with PhoneFactor's authentication services.

PhoneFactor works by placing a confirmation call to your phone during the login process. Upon completing your first authentication through usual means and when you go to the second authentication stage, you simply need to answer your phone and press # (or enter a PIN), which serves as the phone-based authentication.

Following is the sequence of events involved in PhoneFactor Authentication:

    1. A user tries to access PMP web-interface
    2. PMP authenticates the user through Active Directory or LDAP or locally
    3. PMP prompts for the second factor credential through PhoneFactor
    4. PhoneFactor calls you. Answer the call and press # (or enter a PIN)
    5. PMP grants the user access to the web-interface

Enabling PhoneFactor Authentication

Prerequsite

Prior to enabling PhoneFactor authentication, you need to buy PhoneFactor. Refer to PhoneFactor website for details. After getting PhoneFactor, you need to decide about the specific authentication method - whether you want to install PhoneFactor agent in your environment or deploy PhoneFactor Direct SDK.

How Does PhoneFactor Work with PMP?

You will be specifying the phone numbers for your users, which results in a mapping between the users and the corresponding phone numbers. In PhoneFactor agent mode, the details about the user, including the phone numbers are maintained at the agent. In Direct SDK mode, the phone numbers are maintained in PMP database itself. When a user tries to login to PMP, PhoneFactor finds out the phone number of the respective user and triggers a call.

To enable two-factor authentication using PhoneFactor, you need to follow the steps detailed below:

Summary of Steps

    1. Setting up two factor authentication in PMP
    2. Deciding the type of PhoneFactor authentication & associated configuration
    3. Enforcing two factor authentication for required users in PMP

Step 1: Setting up Two Factor Authentication in PMP

The first step is to enable two factor authentication. To do that,

    1. Go to "Admin" tab and click "Two Factor Authentication"
    2. Choose the option "PhoneFactor"

Note: Before proceeding further, ensure that you have entered the phone numbers for all the users for whom you wish to enable two factor authentication through PhoneFactor in Password Manager Pro. You can enter a landline number or a mobile number as the primary contact number for PhoneFactor authentication.


Landline numbers should be entered in the following format:

<Country Code> <Phone Number with Area Code> <Extension Number, if any>

Example: 1 9259249500 292

Mobile numbers should be entered in the following format:

<Country Code> <Mobile Number>

Step 2: Choose the Authentication Method

You can choose to deploy PhoneFactor Agent or PhoneFactor Direct SDK.

    PhoneFactor Agent

    The PhoneFactor agent runs on a Windows server within your network. It includes a configuration wizard that guides you through the setup process for securing Password Manager Pro with PhoneFactor. The PhoneFactor agent can also integrate with your existing Active Directory or LDAP server for centralized user provisioning and management. All user data is stored within the corporate network for additional security. Extensive logging is available for reporting and auditing.

    Direct SDK

    Instead of using the Agent, you can also use PhoneFactor Direct SDK, which can be used to integrate with Password Manager Pro and it leverages PMP's existing user database.

    Note: Among the choices above, PhoneFactor agent supports entering a PIN for authentication while answering the phone call from PhoneFactor. In Direct SDK mode, users will just be prompted to enter the # key and not a PIN.

If you choose to deploy PhoneFactor agent

(Note: If you have already installed PhoneFactor agent, you may skip Step 1 below and directly proceed to Step 2).

Obtain and install the PhoneFactor Agent and Web Services SDK on a Windows server within your network. The wizard will guide you through the installation process.

Step 1: Configurations in PhoneFactor agent

  • Since the phone numbers of the users are maintained in the PhoneFactor agent, after installing it, you need to add all the PMP users (for whom two factor authentication through PhoneFactor has been enabled in PMP) in the agent and enter their phone numbers too. You can also integrate Active Directory / LDAP with PhoneFactor agent and automatically import users. If you have users authenticated through PMP's local authentication, add them to PhoneFactor manually providing details about the phone number
  • While adding users in the PhoneFactor agent, take care to provide the same username as available in PMP. (In PMP, you would have provided a 'PhoneFactor username' for the users who will be authenticated by PhoneFactor. Take care to enter the same username here in PhoneFactor agent configuration)
  • After importing users, check if the phone numbers have been entered in the correct format

Important Note: User information and their phone numbers are maintained in PhoneFactor agent. That means, users will receive the call only at the phone numbers specified in the agent. Whenever, you want to modify the phone number, you need to carry out the change at the agent. Similarly, whenever you add new users to PMP and if TFA through PhoneFactor is enabled for them, you need to add the user in PhoneFactor agent too. Otherwise, TFA through PhoneFactor will not work.

Step 2: Configurations in PMP

  • In the Two Factor Authentication GUI in PMP, select the Authentication Method as "PhoneFactor Agent"
  • Enter the credentials to access the PhoneFactor. You need to enter the user name, password and the URL of the host where the PhoneFactor agent is running
  • Communication between PMP and the host where the PhoneFactor agent is running takes place through SSL. So, you need to import (into PMP) the SSL certificate, which you specified while installing the Web Services SDK.

While installing the PhoneFactor agent/ Web Services SDK, you would have either created a self-signed SSL certificate or you would have used an already available internal certificate (your own certificate). Here, in PMP, you need import the root of the CA. If you are using a certificate signed by third-party CA, you may skip this step.

To import the root of the CA,

  • Navigate to "PMP_Installation_Folder>/bin" directory
  • Execute importPhoneFactorCert.bat (in Windows) orimportPhoneFactorCert.sh (in Linux) as follows
  • (In Windows)

    In the case of Self-signed certificates

    importPhoneFactorCert.bat <absolute path of the Self-signed certificate>

    In the case of your own certificates or already available internal CAs

    importPhoneFactorCert.bat <absolute path of the root of the CA>

    (In Linux)

    In the case of Self-signed certificates

    sh importPhoneFactorCert.sh <absolute path of the Self-signed certificate>

    In the case of your own certificates or already available internal CAs

    sh importPhoneFactorCert.sh <absolute path of the root of the CA>

  • Restart PMP server
  • Once you execute the above, the root of the CA will be recorded in PMP. All the certificates signed by the particular CA will henceforth be automatically taken.
  • Proceed to Step 3 - Enforcing Two Factor Authentication for required users in PMP.

Note: If your enterprise network setup requires connecting to the internet via a proxy server, you need to configure the proxy settings to enable PMP connect to PhoneFactor website. (PMP GUI >>> Admin >>> General >>> Proxy Server Settings)

If you have configured PMP High Availability: Configurations in PMP Secondary (PhoneFactor Agent Mode)

If you have configured High Availability in PMP and if you chosen to deploy PhoneFactor Agent, you need to carry out the following configuration in PMP Secondary server. Just as you imported the root of the CA as explained above, you need to do the same in the PMP secondary. If you are using a certificate signed by third-party CA, you may skip this step.

If you choose to deploy PhoneFactor Direct SDK

Step 1: Configurations in SDK

    PhoneFactor jars have been bundled with Password Manager Pro. So, it is enough if you buy PhoneFactor and supply the license details as explained in Step 2 below.

Step 2: Configurations in PMP GUI

  • Check the PMP users and ensure that you have entered phone numbers for all the users for whom you wish to enable two factor authentication through PhoneFactor in Password Manager Pro. The phone numbers should be entered in proper format. In sharp contrast to PhoneFactor agent where the phone numbers of the users are recorded and maintained at the agent, in the case of Direct SDK, phone numbers are maintained at PMP itself.
  • In PhoneFactor GUI, you need to specify the path of PhoneFactor license file, PhoneFactor Certificate and Private Key password. (These files will be present under the PhoneFactor SDK folder.)
  • Proceed to Step 3 - Enforcing Two Factor Authentication for required users in PMP.

Note: If your enterprise network setup requires connecting to the internet via a proxy server, you need to configure the proxy settings to enable PMP connect to PhoneFactor website. (PMP GUI >>> Admin >>> General >>> Proxy Server Settings)

If you have configured PMP High Availability: Configurations in PMP Secondary (PhoneFactor Direct SDK Mode)

If you have configured High Availability in PMP and if you chosen to PhoneFactor Direct SDK mode, you need to carry out the following configuration in PMP Secondary server.

  • Go to <PMP-Primary-Installation>/licenses folder
  • Copy the files license.xml and cert.p12
  • Now go to <PMP-Secondary-Installation>/licenses folder
  • Paste these two files

Step 3: Enforcing Two Factor Authentication for Required Users

In step 1&2 above, you have chosen PhoneFactor as the option for two factor authentication. After choosing this option, you need to apply two factor authentication for the required users.

To enforce two factor authentication for a user,

  • Go to "Admin" >> "Users"
  • Click the button "Set 2-factor authentication"
  • In the UI that opens, select the users for whom two factor authentication is to be enforced
  • Click "Save"

How to connect to PMP Web-Interface when TFA through PhoneFactor is Enabled?

The users for whom two factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through PMP's local authentication or AD/LDAP authentication.

When TFA is enabled, the login screen will ask for the username alone in the first UI. The users will be prompted to enter the passwords only in the second step.

TFA using PhoneFactor - Workflow

If the administrator has chosen TFA throgh phoneFactor, the two factor authentication will happen as detailed below:

  • Upon launching the PMP web-interface, the user has to enter the username to login to PMP and click "Login"
  • Against the text field "Password", the user has to enter the local authentication password or AD/LDAP password as applicable
  • Once the authentication through the first factor is successful, you need to await a call to your phone from the PhoneFactor
  • Answer the call and press # key or enter the PIN as instructed. PhoneFactor will take care of authentication.

If you have configured High Availability

Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password) AND if you have configured high availability, you need to restart the PMP secondary server once.

©2014, ZOHO Corp. All Rights Reserved.

Top