PhoneFactor Authentication

(Feature Available only in Premium Edition)

 

Overview

ManageEngine has partnered with PhoneFactor, the leading global provider of phone-based two-factor authentication, to enable simple, effective two-factor security for Password Manager Pro.  ManageEngine is a PhoneFactor Alliance Partner and offers seamless integration with PhoneFactor's authentication services.

 

PhoneFactor works by placing a confirmation call to your phone during the login process. Upon completing your first authentication through usual means and when you go to the second authentication stage, you simply need to answer your phone and press # (or enter a PIN), which serves as the phone-based authentication.

 

Following is the sequence of events involved in PhoneFactor Authentication:

 

  1. A user tries to access PMP web-interface

  2. PMP authenticates the user through Active Directory or LDAP or locally

  3. PMP prompts for the second factor credential through PhoneFactor

  4. PhoneFactor calls you. Answer the call and  press # (or enter a PIN)

  5. PMP grants the user access to the web-interface

Enabling PhoneFactor Authentication

Prerequsite

Prior to enabling PhoneFactor authentication, you need to buy PhoneFactor. Refer to PhoneFactor website for details. After getting PhoneFactor, you need to decide about the specific authentication method - whether you want to install PhoneFactor agent in your environment or deploy PhoneFactor Direct SDK.
 

 

 

How Does PhoneFactor Work with PMP?

 

You will be specifying the phone numbers for your users, which results in a mapping between the users and the corresponding phone numbers. In PhoneFactor agent mode, the details about the user, including the phone numbers are maintained at the agent. In Direct SDK mode, the phone numbers are maintained in PMP database itself. When a user tries to login to PMP, PhoneFactor finds out the phone number of the respective user and triggers a call.

 

To enable two-factor authentication using PhoneFactor, you need to follow the steps detailed below:

Summary of Steps

  1. Setting up two factor authentication in PMP

  2. Deciding the type of PhoneFactor authentication & associated configuration

  3. Enforcing two factor authentication for required users in PMP

Step 1: Setting up Two Factor Authentication in PMP

The first step is to enable two factor authentication. To do that,

 

  1. Go to "Admin" tab and click "Two Factor Authentication"

  2. Choose the option "PhoneFactor"

 

Note: Before proceeding further, ensure that you have entered the phone numbers for all the users for whom you wish to enable two factor authentication through PhoneFactor in Password Manager Pro. You can enter a landline number or a mobile number as the primary contact number for PhoneFactor authentication.

 

Landline numbers should be entered in the following format:

 

<Country Code> <Phone Number with Area Code> <Extension Number, if any>

 

Example:  1 9259249500 292

 

Mobile numbers should be entered in the following format:

 

<Country Code> <Mobile Number >

 

Step 2:  Choose the Authentication Method

You can choose to deploy PhoneFactor Agent or PhoneFactor Direct SDK.

 

PhoneFactor Agent

 

The PhoneFactor agent runs on a Windows server within your network. It includes a configuration wizard that guides you through the setup process for securing Password Manager Pro with PhoneFactor. The PhoneFactor agent can also integrate with your existing Active Directory or LDAP server for centralized user provisioning and management. All user data is stored within the corporate network for additional security. Extensive logging is available for reporting and auditing.

 

Direct SDK

 

Instead of using the Agent,  you can also use PhoneFactor Direct SDK,  which can be used to integrate with Password Manager Pro and it leverages PMP's existing user database.

 

Note: Among the choices above, PhoneFactor agent supports entering a PIN for authentication while answering the phone call from PhoneFactor. In Direct SDK mode, users will just be prompted to enter the # key and not a PIN.

 

If you choose to deploy PhoneFactor agent

 

(Note: If you have already installed PhoneFactor agent, you may skip Step 1 below and directly proceed to Step 2).

 

Obtain and install the PhoneFactor Agent  and Web Services SDK on a Windows server within your network. The wizard will guide you through the installation process.

 

 

 

 

Step 1: Configurations in PhoneFactor agent

 

 

 

 

Important Note: User information and their phone numbers are maintained in PhoneFactor agent. That means, users will receive the call only at the phone numbers specified in the agent. Whenever, you want to modify the phone number, you need to carry out the change at the agent. Similarly, whenever you add new users to PMP and if TFA through PhoneFactor is enabled for them, you need to add the user in PhoneFactor agent too. Otherwise, TFA through PhoneFactor will not work.

 

Step 2: Configurations in PMP

 

 

While installing the PhoneFactor agent/ Web Services SDK, you would have either created a self-signed SSL certificate or you would have used an already available internal certificate (your own certificate). Here, in PMP, you need import the root of the CA. If you are using a certificate signed by third-party CA, you may skip this step.

 

To import the root of the CA,

 

 

(In Windows)

 

In the case of Self-signed certificates

 

importPhoneFactorCert.bat <absolute path of the Self-signed certificate>  

 

In the case of your own certificates or already available internal CAs

 

importPhoneFactorCert.bat <absolute path of the root of the CA>   

 

(In Linux)

 

In the case of Self-signed certificates

 

sh importPhoneFactorCert.sh <absolute path of the Self-signed certificate>  

 

In the case of your own certificates or already available internal CAs

 

sh importPhoneFactorCert.sh <absolute path of the root of the CA>   

 

 

 

 

Note:  If your enterprise network setup requires connecting to the internet via a proxy server, you need to configure the proxy settings to enable PMP connect to PhoneFactor website. (PMP GUI >>> Admin >>> General >>> Proxy Server Settings)

 

If you have configured PMP High Availability: Configurations in PMP Secondary (PhoneFactor Agent Mode)

 

If you have configured High Availability in PMP and if you chosen to deploy PhoneFactor Agent, you need to carry out the following configuration in PMP Secondary server. Just as you imported the root of the CA as explained above, you need to do the same in the PMP secondary. If you are using a certificate signed by third-party CA, you may skip this step.

If you choose to deploy PhoneFactor Direct SDK

Step 1: Configurations in SDK

 

. PhoneFactor jars have been bundled with Password Manager Pro. So, it is enough if you buy PhoneFactor and supply the license details as explained in Step 2 below.

 

Step 2: Configurations in PMP GUI
 

 

 

 

 

 

Note:  If your enterprise network setup requires connecting to the internet via a proxy server, you need to configure the proxy settings to enable PMP connect to PhoneFactor website. (PMP GUI >>> Admin >>> General >>> Proxy Server Settings)

 

If you have configured PMP High Availability: Configurations in PMP Secondary (PhoneFactor Direct SDK Mode)

 

If you have configured High Availability in PMP and if you chosen to PhoneFactor Direct SDK mode, you need to carry out the following configuration in PMP Secondary server.

 

Step 3: Enforcing Two Factor Authentication for Required Users

 

In step 1&2 above, you have chosen PhoneFactor as the option for two factor authentication. After choosing this option, you need to apply two factor authentication for the required users.

 

To enforce two factor authentication for a user,

 

How to connect to PMP Web-Interface when TFA through PhoneFactor is Enabled?

The users for whom two factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through PMP's local authentication or AD/LDAP authentication.

 

When TFA is enabled, the login screen will ask for the username alone in the first UI. The users will be prompted to enter the passwords only in the second step.

 

TFA using PhoneFactor - Workflow

 

If the administrator has chosen TFA throgh phoneFactor, the two factor authentication will happen as detailed below:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If you have configured High Availability

 

Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password) AND if you have configured high availability, you need to restart the PMP secondary server once.


© 2014, ZOHO Corp. All Rights Reserved.