Setting up Two-Factor Authentication - PhoneFactor Authentication
(Feature available only in Premium and Enterprise Editions)

ManageEngine has partnered with PhoneFactor, the leading global provider of phone-based two-factor authentication, to enable simple, effective two-factor security for Password Manager Pro. ManageEngine is a PhoneFactor Alliance Partner and offers seamless integration with PhoneFactor's authentication services.

PhoneFactor works by placing a confirmation call to your phone during the login process. Upon completing your first authentication through usual means and when you go to the second authentication stage, you simply need to answer your phone and press # (or enter a PIN), which serves as the phone-based authentication.

Following is the sequence of events involved in PhoneFactor Authentication:

1. A user tries to access Password Manager Pro web-interface
2. Password Manager Pro authenticates the user through Active Directory or LDAP or locally
3. Password Manager Pro prompts for the second factor credential through PhoneFactor
4. PhoneFactor calls you. Answer the call and press # (or enter a PIN)
5. Password Manager Pro grants the user access to the web-interface

1. Enabling PhoneFactor Authentication

Prerequsite

Prior to enabling PhoneFactor authentication, you need to buy PhoneFactor. Refer to PhoneFactor website for details. After getting PhoneFactor, you need to decide about the specific authentication method - whether you want to install PhoneFactor agent in your environment or deploy PhoneFactor Direct SDK.

2. How does PhoneFactor Work with Password Manager Pro?

You will be specifying the phone numbers for your users, which results in a mapping between the users and the corresponding phone numbers. In PhoneFactor agent mode, the details about the user, including the phone numbers are maintained at the agent. In Direct SDK mode, the phone numbers are maintained in Password Manager Pro database itself. When a user tries to login to Password Manager Pro, PhoneFactor finds out the phone number of the respective user and triggers a call.

To enable two-factor authentication using PhoneFactor, you need to follow the steps detailed below:

Summary of Steps

1. Settings up two-factor authentication in Password Manager Pro
2. Deciding the type of PhoneFactor authentication & associated configuration
3. Enforcing two-factor authentication for required users in Password Manager Pro

Step 1: Settings up two-factor authentication in Password Manager Pro

The first step is to enable two-factor authentication. To do that,

1. Navigate to Admin >> Authentication >> Two-factor Authentication.
2. Choose the option PhoneFactor.
3. Click "Save".

Step 2: Choose the authentication method

You can choose to deploy PhoneFactor Agent or PhoneFactor Direct SDK.

PhoneFactor Agent

The PhoneFactor agent runs on a Windows server within your network. It includes a configuration wizard that guides you through the setup process for securing Password Manager Pro with PhoneFactor. The PhoneFactor agent can also integrate with your existing Active Directory or LDAP server for centralized user provisioning and management. All user data is stored within the corporate network for additional security. Extensive logging is available for reporting and auditing.

Direct SDK

Instead of using the Agent, you can also use PhoneFactor Direct SDK, which can be used to integrate with Password Manager Pro and it leverages Password Manager Pro's existing user database.

Note: Among the choices above, PhoneFactor agent supports entering a PIN for authentication while answering the phone call from PhoneFactor. In Direct SDK mode, users will just be prompted to enter the # key and not a PIN.

If you choose to deploy PhoneFactor agent

(Note: If you have already installed PhoneFactor agent, you may skip Step 1 below and directly proceed to Step 2).

Obtain and install the PhoneFactor Agent and Web Services SDK on a Windows server within your network. The wizard will guide you through the installation process.

Step 1: Configurations in PhoneFactor agent

• Since the phone numbers of the users are maintained in the PhoneFactor agent, after installing it, you need to add all the Password Manager Pro users (for whom two-factor authentication through PhoneFactor has been enabled in Password Manager Pro) in the agent and enter their phone numbers too. You can also integrate Active Directory / LDAP with PhoneFactor agent and automatically import users. If you have users authenticated through Password Manager Pro's local authentication, add them to PhoneFactor manually providing details about the phone number.
• While adding users in the PhoneFactor agent, take care to provide the same username as available in Password Manager Pro (In Password Manager Pro, you would have provided a 'PhoneFactor username' for the users who will be authenticated by PhoneFactor. Take care to enter the same username here in PhoneFactor agent configuration).
• After importing users, check if the phone numbers have been entered in the correct format.



Important Note: User information and their phone numbers are maintained in PhoneFactor agent. That means, users will receive the call only at the phone numbers specified in the agent. Whenever, you want to modify the phone number, you need to carry out the change at the agent. Similarly, whenever you add new users to Password Manager Pro and if TFA through PhoneFactor is enabled for them, you need to add the user in PhoneFactor agent too. Otherwise, TFA through PhoneFactor will not work.

Step 2: Configurations in Password Manager Pro

• In the two-factor Authentication GUI in Password Manager Pro, select the Authentication Method as "PhoneFactor Agent".
• Enter the credentials to access the PhoneFactor. You need to enter the user name, password and the URL of the host where the PhoneFactor agent is running.
• Communication between Password Manager Pro and the host where the PhoneFactor agent is running takes place through SSL. So, you need to import (into Password Manager Pro) the SSL certificate, which you specified while installing the Web Services SDK.

While installing the PhoneFactor agent/ Web Services SDK, you would have either created a self-signed SSL certificate or you would have used an already available internal certificate (your own certificate). Here, in Password Manager Pro, you need import the root of the CA. If you are using a certificate signed by third-party CA, you may skip this step.

To import the root of the CA,

1. Navigate to "PMP_Installation_Folder>/bin" directory.
2. Execute importPhoneFactorCert.bat (in Windows) or importPhoneFactorCert.sh (in Linux) as follows:

(In Windows)

In the case of Self-signed certificates

importPhoneFactorCert.bat <absolute path of the Self-signed certificate>

In the case of your own certificates or already available internal CAs

importPhoneFactorCert.bat <absolute path of the root of the CA>

(In Linux)

In the case of Self-signed certificates

sh importPhoneFactorCert.sh <absolute path of the Self-signed certificate>

In the case of your own certificates or already available internal CAs

sh importPhoneFactorCert.sh <absolute path of the root of the CA>

3. Restart Password Manager Prov server.
4. Once you execute the above, the root of the CA will be recorded in Password Manager Pro. All the certificates signed by the particular CA will henceforth be automatically taken.
5. Proceed to Step 3 - Enforcing two-factor Authentication for required users in Password Manager Pro.

Note: If your enterprise network setup requires connecting to the internet via a proxy server, you need to configure the proxy settings to enable Password Manager Pro connect to PhoneFactor website. (PMP GUI >> Admin >> General >> Proxy Server Settings)

If you have configured Password Manager Pro High Availability: Configurations in Password Manager Pro Secondary (PhoneFactor Agent Mode)

If you have configured High Availability in Password Manager Pro and if you chosen to deploy PhoneFactor Agent, you need to carry out the following configuration in Password Manager Pro Secondary server. Just as you imported the root of the CA as explained above, you need to do the same in the Password Manager Pro secondary. If you are using a certificate signed by third-party CA, you may skip this step.

If you choose to deploy PhoneFactor Direct SDK:

Step 1: Configurations in SDK

PhoneFactor jars have been bundled with Password Manager Pro. So, it is enough if you buy PhoneFactor and supply the license details as explained in Step 2 below.

Step 2: Configurations in Password Manager Pro GUI

• Check the Password Manager Pro users and ensure that you have entered phone numbers for all the users for whom you wish to enable two-factor authentication through PhoneFactor in Password Manager Pro. The phone numbers should be entered in proper format. In sharp contrast to PhoneFactor agent where the phone numbers of the users are recorded and maintained at the agent, in the case of Direct SDK, phone numbers are maintained at Password Manager Pro itself.
• In PhoneFactor GUI, you need to specify the path of PhoneFactor license file, PhoneFactor Certificate and Private Key password (These files will be present under the PhoneFactor SDK folder).
• Proceed to Step 3 - Enforcing two-factor Authentication for required users in Password Manager Pro.

If you have configured Password Manager Pro High Availability: Configurations in Password Manager Pro Secondary (PhoneFactor Direct SDK Mode)

If you have configured High Availability in Password Manager Pro and if you chosen to PhoneFactor Direct SDK mode, you need to carry out the following configuration in Password Manager Pro Secondary server.

• Go to <PMP-Primary-Installation>/licenses folder.
• Copy the files license.xml and cert.p12.
• Now go to <PMP-Secondary-Installation>/licenses folder.
• Paste these two files.

Step 3: Enforcing two-factor authentication for the required users

1. Once you confirm the PhoneFactor as the second factor of authentication in the previous step, a new window will prompt you to select the users for whom two-factor authentication should be enforced.
2. You can enable or disable two-factor authentication for a single user or multiple users in bulk from here. To enable two-factor authentication for a single user, click on the 'Enable' button beside their respective username. For multiple users, select the required usernames and click on 'Enable' at the top of the user list. Similarly, you can also 'Disable' two-factor authentication from here.

   
   

• You can also select the users later by navigating to Users >> More Actions >> Two-factor Authentication.

How to connect to Password Manager Pro Web-Interface when TFA through PhoneFactor is Enabled?

The users for whom two-factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through Password Manager Pro's local authentication or AD/LDAP authentication.

When TFA is enabled, the login screen will ask for the username alone in the first UI. The users will be prompted to enter the passwords only in the second step.

TFA using PhoneFactor - Workflow

If the administrator has chosen TFA through PhoneFactor, the two-factor authentication will happen as detailed below:

• Upon launching the Password Manager Pro web-interface, the user has to enter the username to login to Password Manager Pro and click "Login".
• Against the text field "Password", the user has to enter the local authentication password or AD/LDAP password as applicable.





• Once the authentication through the first factor is successful, you need to await a call to your phone from the PhoneFactor.
• Answer the call and press # key or enter the PIN as instructed. PhoneFactor will take care of authentication.

If you have configured High Availability

Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password) AND if you have configured high availability, you need to restart the Password Manager Pro secondary server once.