Set up two-factor account verification

When two-factor account verification is set up in Portal, each user is prompted to provide a phone number for receiving account verification codes. Users who provide a phone number are then prompted to enter a code periodically when they sign in to Portal and when they reset their passwords. See Verify your account.

Beginning in Portal 9.10, a Super user can set up two-factor account verification by entering settings in the Portal UI. In previous Portal versions, account verification settings were entered in Portal configuration files. If you upgrade a Portal instance to version 9.10, account verification settings are moved from configuration files to the Portal database and appear in the Portal UI.

Before you set up two-factor account verification in Portal, you must sign up for services from one of the following providers:

• Twilio (https://www.twilio.com/). Sign up for Verify from Twilio. You must also ensure that the following URLs can be reached on port 443 from the system(s) where the Portal UI is installed: https://verify.twilio.com and https://lookups.twilio.com

• TeleSign (https://www.telesign.com/). Sign up for the SMS Verify and Voice Verify products from TeleSign. You must also ensure that the following URL can be reached on port 443 from the system(s) where the Portal UI is installed: https://rest-ww.telesign.com

Note: Support for two-factor account verification with Twilio was added in Portal 9.10. In previous Portal versions, account verification was only supported with TeleSign.

Users in a Portal instance can be required to set up two-factor account verification. When two-factor account verification is required, a Skip this step option does not appear on the Portal page for setting up two-factor account verification. For more information, see the Portal Installation and Configuration Guide.

To set up two-factor account verification:

1. When signed in as a Super user, click Global Settings on the navigation bar.

2. Click the Settings tab and then click the Third Party MFA/2FA tab.

3. Do one of the following:

   • If you signed up for Verify from Twilio, do the following in the Twilio Multi-Factor Authentication area:

     1. Select the Turn on Twilio MFA check box.

     2. Enter values in the following boxes:

        • Verification Service ID — Your Twilio Verify Service SID.

        • Authentication Token — Your Twilio Auth Token.

        • Account SID — Your Twilio Account SID.

        You can obtain these values from the Twilio console.

     3. In the MFA Expiration in Days box, enter the number of days after which a user must enter a verification code again when signing in from a trusted web browser. A web browser is trusted if the user has selected the Remember me on this device check box when signing in from the browser. See Verify your account.

        The MFA Expiration in Days value can range from 0 to 90. If the value is 0, users must verify their accounts every time they sign in to Portal. Users must also verify their accounts every time they sign in to Portal from web browsers that are not trusted.

     Note: You must also ensure that the following URLs can be reached on port 443 from the system(s) where the Portal UI is installed: https://verify.twilio.com and https://lookups.twilio.com

   • If you signed up for SMS Verify and Voice Verify from TeleSign, do the following in the Telesign Multi-Factor Authentication area:

     1. Select the Turn on Telesign MFA check box.

     2. Enter values in the following boxes:

        • Customer ID — Your TeleSign Customer ID.

        • Secret Key — Your TeleSign API Key.

        You can obtain these values from the TeleSign portal.

     3. In the MFA Expiration in Days box, enter the number of days after which a user must enter a verification code again when signing in from a trusted web browser. A web browser is trusted if the user has selected the Remember me on this device check box when signing in from the browser. See Verify your account.

        The MFA Expiration in Days value can range from 0 to 90. If the value is 0, users must verify their accounts every time they sign in to Portal. Users must also verify their accounts every time they sign in to Portal from web browsers that are not trusted.

     Note: You must also ensure that the following URL can be reached on port 443 from the system(s) where the Portal UI is installed: https://rest-ww.telesign.com

4. Click Save.

5. Do the following to verify the MFA Settings that you entered:

   1. In the Test MFA Settings dialog box, in the Phone Number box, enter a phone number (including the country code) where you can receive an account verification code. If you do not know the country code, click the X in the Phone Number box and select the country.

   2. Click Send Code.

   3. Check your phone for an account verification code.

      If you do not receive a code, check that the phone number you entered is correct. If the phone number is incorrect, enter a new phone number and click Send Code.

   4. Enter the code in the Code box. Click Verify.

      If a message states that the MFA configuration has been saved and enabled, two-factor account verification is now set up. Click Finish.

      If a message states that the code could not be verified, do the following:

      • Enter the account verification code again. Click Verify.

      • Click Cancel and check your Telesign or Twilio information. If the information is not correct, repeat steps Step 3 to Step 5.

      If the code still cannot be verified, the two-factor account verification service might be temporarily available. Please try to set up two-factor account verification again later. If the problem persists, please contact Support for assistance.