Mobile Verification Configuration Options
(Last updated on February 5, 2021)
Using the Mobile Verification capabilities of Specops Password Reset increases the security of your environment. The combination of “something only the user knows,” (questions and answers), and “something only the user has,” (mobile device), is the basis of dual or multi factor authentication. This allows administrators to ensure the system is being access by authorized users.
The process is simple:
- A code is sent to a mobile number that is ‘on-file’ in Active Directory.
- The code ‘beK989vc’, as shown in the text message, is entered into the Specops Password Reset web page or mobile app.
- The user is verified and the process is complete.
There are a few different places where this feature can be used. For instance, your helpdesk can use this functionality to better verify the identity of users calling for support. When someone at the helpdesk locates a user affected by Mobile Verification settings, they will see an additional option in the tool. The ‘Send code’ button will send a code to the user’s device and allow the helpdesk to verify the caller’s identity.
There are also a number of configuration options available to Administrators.
You can choose to use either Mobile Verification, Secret Questions, or both. There are benefits to all of the choices so evaluating your needs and the needs of your end users is important.
Fortunately, Specops builds Password Reset Configuration on Group Policy allowing you to have different configurations for different user roles in your organization. Users who require a higher level of security, based on their job function, may be forced to use Mobile Verification and Secret Questions. On the other hand, employees whose responsibilities do not have security implications, may use a few questions to verify their identity. This makes their lives much simpler.
Verification Code Message
The configuration of this message will based on your SMS provider. The example below is using an SMS provider out of Sweden called SMS Teknik. It provides a very simple configuration. The Specops service will resolve the %mobileNumber% and %Code%variables on the fly. The %mobileNumber% is taken from Active Directory. By default it is the user.mobile attribute. The %Code% variable is auto generated by the service.
Managing the ‘Code’
The Specops Password Reset service, by default, is configured to generate a complex code. This can be turned off so that the service only sends 4 digit codes. This feature is managed by a registry setting called UseComplexMobileVerificationCode. The value is Boolean and is set to 1 by default. Setting the value to 0 will turn off complex code and send a 4 digit code instead.
You can check the setting either through regedit or this simple PowerShell cmdlet.
PS C:> Get-ItemProperty ‘HKLM:SoftwareSpecopssoftSpecops Password ResetServer’
The above will return everything in that key including Value and key Names.
You can see that the ‘UseComplexMobileVerificationCode’ is set to ‘1’. Use the following command to set it to ‘0’.
PS C:> Set-ItemProperty ‘HKLM:SoftwareSpecopssoftSpecops Password ResetServer’ –Name UseComplexMobileVerificationCode–Value 0
Restart the service.
PS C:> Restart-Service SpecopsPasswordResetServer
You are done!
Complex verification codes are a global setting and will apply to all users using the system. The above PowerShell cmdlets are run with PowerShell V4. There are occasionally subtle differences with the syntax of the cmdlets as the versions changes. So, use the Get-Helpcmdlet to make sure you are using it correctly.
There are three additional behaviors that can be managed to help administrator manager the user experience.
The mobile number is stored in Active Directory. By default it is stored in the user.mobile attribute. As an administrator you can move that to a different AD attribute if you need to. The below behaviors are pretty logical in nature.
- Bypass if mobile number is missing: If the admin chooses to use “both” Mobile Verification and Secret Questions, you can skip over the Mobile Verification if there is no mobile number in AD. The default behavior is set to not bypass.
- Allows users to enter mobile number when enrolling: The feature allows you to capture mobile number during the enrollment process. This can be very helpful for organization who do not have mobile numbers on file.
- Require verification of mobile phone number: The web application will show the mobile number to the end user and the user will select “send code” to verify that they possess the mobile device on file in Active Directory.
The Mobile Verification option provides additional flexibility to administrators that will help them make decisions that are best for the users they serve. When the Mobile Verification capabilities are enabled users can:
- Register mobile numbers during enrollment.
- Verify their identity when resetting their passwords by verifying a code sent to their registered mobile device.
- Use mobile verification in conjunction with the ‘Mobile Application’ and manage a password reset, end to end, on their mobile.
As with most Specops products, there is a lot of flexibility in how the solution can be used. Organizations can make choices based on the unique and specific needs of their internal policies and the needs of the users that they serve.