SMS is a two-factor authentication (2FA) method that sends a generated code to a user’s device to provide an added level of web client login security. This section describes how to integrate and use SMS with Q360.

2FA is a kind of multi-factor authentication (MFA), requiring two different methods of accessing a website or application. MFA can imply two more methods of authentication, depending on the security requirements outlined by the system administrator.

Prerequisites

• Q360 version 10.03 or later is required
• Make sure that Director is configured. For more information, see the topic Director Setup.
• An SMS handler account for a service such as TextMagic or ClickSend
• Different countries have their own laws around sender numbers. Before using 2FA confirm with the service provider where messages can be sent.
• US phone numbers will send SMS messages to both Canadian and US carriers effectively. Canadian number will only typically send messages to Canadian carriers.
• The SMS handlers are pay-per SMS services. If two-factor authentication is turned on for the TEST, TRAIN or any other database instances, charges will be incurred for those SMS messages as well. When restoring a PROD database to the TEST instance, ensure the settings are configured correctly.

API Configuration

In the Maintenance > API Configuration > SMS Handler tab, enter the following details:

Service – The name of the SMS service such as ClickSend or TextMagic

UserName – The User Name used to log in to the service

API Key – The unique API key for the Q360 instance. This should not be shared. For TextMagic, the  user name and API key is created and located on TextMagic website. For ClickSend, the user name and API key is created and located on TextMagic website.

Sender Number – A number configured with a service for sending the SMS messages

• TextMagic requires a virtual sender number purchased through their site
• If using ClickSend, you can leave this field blank and it will use a shared virtual number

Code Expiry (Minutes) – The number of minutes a two-factor authorization code remains valid for before expiring. Due to latency that can occur when sending API SMS messages. This value should not be set below 5.

Trusted Device Expiry (Hours) – The number of hours a device will remain trusted. Every time a user logs in with the same device, it resets the timeout. The default value is 48.  Note: assigning a new device the designation of “Trusted Device” will invalidate the previous device as a “Trusted Device” and reset the Expiry Hours to the default value.

TFA for Internal Users – Enables two-factor authentication for all internal users. The default setting is OFF.

TFA for External Users – Enables two-factor authentication for all external users. The default setting is OFF.

When all of the information in is form is added, make sure to test the service by clicking the Test Service Button. When your setup it complete, click the Save button.

End user information

• Once logged in, the user will be presented with up to two options for destinations for receiving the authentication code. These options are EMAIL and SMS.
  • The destination values will be obfuscated in that only the first digit and last 4 digits of the phone number will appear. Only the first two characters of the user name of the email and the full domain will appear.
  • If a phone number is not found in the system or an SMS service is not configured, the user will not get the option to send an SMS.
  • If an email address is not found in the tables mentioned above, the user will not get the option to send email
  • If both methods fail and the user is configured to use two-factor authentication, they will get a descriptive error message telling them to contact their system administrator
• A user gets five attempts to input the correct code. After the fifth attempt, they will be sent back to the login form and will need to generate a new code.
• The only way to access the ‘Authorization Code’ form is by logging in with correct credentials and having the configurations settings enabled. Any attempt to access the URL controller.php?action=login_authenticate should redirect back to the login form. Refreshing the Authorization Code form will send a user back to the login form.
• If the authorization code has expired, the user will be notified when they attempt to enter their code and will be redirected back to the login form