How To Change the Default OTP Method for Two-Factor Authentication
You want to change the default OTP method utilized by PortalGuard during Two-Factor Authentication (2FA).
Properly configure the security policy within the PortalGuard Configuration Editor, and select a new 'Default OTP Method'.
- Navigate to the PortalGuard server and open the PortalGuard Configuration Editor.
- Navigate to the Security Policies tab.
- Click on the Security Policy you wish to edit in order to highlight it. Double click or click on the 'Edit' button to modify.
- Navigate to the Authentication Methods tab and enable the OTP Methods that you wish to utilize for 2FA, if you have not already done so.
Once your Authentication Methods are configured, navigate to the Actionstab.
For 2FA, ensure that the Login sub-tab is selected and the 'PortalGuard Website Login' is set to 'Two-factor (2FA)':
Under 'Accepted OTP Methods' simply check the box next to each method that you wish to allow for the purposes of 2FA.
- For this example, we will be enabling 'Phone' for SMS OTP Delivery, 'Email', and 'Mobile App'.
- To utilize an OTP Delivery type for Two-Factor Authentication or any other 'Action' within PortalGuard, it will need be marked as either 'Optional' or 'Required' under the Authentication Methods tab within the security policy:
- In the screenshot above, 'Phone' enrollment is set to 'Optional, with reminders set to 'Always'. This will allow users to enroll their mobile phone number to receive an OTP via SMS for 2FA. The reminders will prompt the user each time s/he logs in until the phone number is enrolled.
In the 'Default OTP Method' drop-down, select the new default for a 2FA login to PortalGuard.
- For our purposes, 'Phone', 'Email, and 'Mobile Authenticator' should all be checked.
- If an option is not available here and is greyed out, that means it has not been enabled in the Authentication Methods tab.
- Furthermore, if you have an Authentication Method enabled but not selected for use anywhere, users will NOT be prompted to enroll that particular method.
If you wish to allow users to choose their own 'Default OTP Method', check the box labeled 'Allow User to Override?'.
- For this example, the new 'Default OTP Method' will be 'Mobile Authenticator'.
- IMPORTANT NOTE: Any option configured as the 'Default OTP Method' for 2FA will be seen as 'Required' for the purposes of enrollment, regardless of the settings in the Authentication Methods tab.
Your final configuration should resemble the following:
Click the 'Save' button to keep the changes.
On the main screen of the PortalGuard Configuration Editor, click the red 'Apply to PortalGuard Server' button.
Click the 'Sync' button.
- This setting allows the user to update the 'Default OTP Method' for himself/herself if they do not wish to use the 'Default OTP Method' defined in this policy. The user will be allowed to choose from any enrolled OTP Delivery method, so long as it is allowed in the security policy under 'Accepted OTP Methods' for 2FA.
- Users can change the 'Default OTP Method' for any allowed action from the PortalGuard Account Management Page when authenticated:
REV. 09/2018 | PortalGuard