Wednesday, September 14, 2016

SMS OTP Two Factor Authentication through Identity Server

In this post, I will explain how to use SMS OTP multifactor authenticator through WSO2 Identity server. In this demonstration, I am using Twilio SMS Provider which was used to send the OTP code via SMS at the time authentication happens.


SMS OTP Authentication Flow



















The SMS OTP authenticator of WSO2 Identity Server allows to authenticate the system using multifactor authentication. This authenticator authenticates with user name and password as a first step, then sending the one time password to the mobile via SMS as a second step. WSO2 IS will validate the code and let the user sign in accordingly


Add the authenticator configuration <IS_HOME>/repository/conf/identity/application-authentication.xml file under the <AuthenticatorConfigs> section.


<AuthenticatorConfig name="SMSOTP" enabled="true">
    <Parameter name="SMSOTPAuthenticationEndpointURL">https://localhost:9443/smsotpauthenticationendpoint/smsotp.jsp</Parameter>
    <Parameter name="SMSOTPAuthenticationEndpointErrorPage">https://localhost:9443/smsotpauthenticationendpoint/smsotpError.jsp</Parameter>
    <Parameter name="MobileNumberRegPage">https://localhost:9443/smsotpauthenticationendpoint/mobile.jsp</Parameter>
    <Parameter name="RetryEnable">true</Parameter>
    <Parameter name="ResendEnable">true</Parameter>
    <Parameter name="BackupCode">true</Parameter>
    <Parameter name="SMSOTPEnableByUserClaim">false</Parameter>
    <Parameter name="SMSOTPMandatory">false</Parameter>
    <Parameter name="usecase">association</Parameter>
    <Parameter name="secondaryUserstore">primary</Parameter>
    <Parameter name="CaptureAndUpdateMobileNumber">true</Parameter>
    <Parameter name="SendOTPDirectlyToMobile">false</Parameter>
</AuthenticatorConfig>

Configure the Service Provider and Identity Provider Configuration as we normally configure for Two factor authentication. Now we will configure SMS OTP Identity provider for Twilio specific SMS Provider.


Go to ​ https://www.twilio.com/try­twilio​  and create a twilio account.

While registering the account, verify your mobile number and click on console home

https://www.twilio.com/console​  to get free credits (Account SID and Auth Token).




Twilio uses a POST method with headers and the text message and phone number are sent asthe payload. So the fields would be as follows.

SMS URL             https://api.twilio.com/2010­04­01/Accounts/{AccountSID}/SMS/Messages.json
HTTP Method     POST
HTTP Headers    Authorization: Basic base64{AccountSID:AuthToken}
HTTP Payload    Body=$ctx.msg&To=$ctx.num&From={FROM_NUM}

You can go to SMS OTP Identity Provider and configure to send the SMS using Twilio SMS Provider.

Twilio SMS Provider Config





















When authentication is happening in second step, the code will be sent to mobile no which is saved in mobile claim of  user's user profile.
If the user apply the code, WSO2 IS will validate the code and let the user sign in accordingly.

11 comments:

  1. Hi Could you please expain the step where you are configuring SMS OTP? I am using WSO2 IS 5.0.2. with resident identity provider and I can not see any place "SMSOTP Configuration."

    Thanks
    Agam

    ReplyDelete
    Replies
    1. You need to create a identity provider for SMS OTP authenticator then add first step basic or any federated authenticator and second step SMS OTP authenticator in Service Provider. You can use wso2 store [1] and the documentation [2] to setup SMS OTP authenticator.
      [1] - https://store.wso2.com/store/assets/isconnector/details/ec6a18ae-4763-4958-bc61-8e12f5b441ac
      [2] - https://docs.wso2.com/display/ISCONNECTORS/Configuring+SMSOTP+Authenticator

      Thanks,
      Kathees

      Delete
    2. Were you able to setup SMS OTP authenticator with WSO2 Identity Server?

      Delete
  2. Hi Rajendram Kathees,

    I am using wso2is 5.4.0 and want to sent the smsotp which must get invalid after certain time and user cannot be able to send the smsotp more than 3 times. Does wso2 is support such fearures.

    ReplyDelete
  3. Hi Kathees,

    I am using wso2 IdentityServer version 5.5.0.I have configured the steps for SMS OTP using the below link
    https://docs.wso2.com/display/IS550/Configuring+SMS+OTP but not getting OTP, HElP me to proceed further please.

    ReplyDelete
  4. Hi, SMPP is the most immediate method for correspondence with your clients, so for it one must need SMPP SMS Gateway to run the SMS crusades easily..

    ReplyDelete
  5. Thanks for sharing this information.
    If you looking for OTP sms service provider, Visit our website www.nrtsms.com . We also provide six month free sms service for startup business...

    ReplyDelete
  6. Thanks for sharing Multi Factor Authentication tips. for more info i rfer cion systems Multi Factor Authentication in USA.

    ReplyDelete
  7. Hey There. I found your blog using msn. This is a very well written article. I’ll be sure to bookmark it and come back to read more of your useful info. Thanks for the post. I’ll definitely return. verification sms

    ReplyDelete
  8. Wonderful blog. If you want to promote your business just check sms gateway price india, we provide entire service related bulk sms, Ratsms is the top leading promotional sms provider.
    Check out sms api pricing, we provides different kind of Bulk SMS services Without DLT | Free SMS API | Free Registration

    sms api pricing

    dlt registration india

    otp sms provider

    bulk sms aggregator

    smpp provider

    smpp gateway

    ReplyDelete
  9. Thank You for Sharing your words. Mobile marketing is quite popular among companies as it gives maximum return on investment. Another good thing about this advertising is that it is relatively cheaper than traditional forms of marketing. You searchbulk sms service in coimbatore there are a lot of companies that provide this service. They spend millions of dollars in advertising and they won't hesitate in investing a few hundred dollars in SMS marketing if they find merit in it. The reality is that mobile advertising is beneficial for every business whether it is a manufacturing unit or a service group. In short, you won't have to struggle to get customers for your reseller work as clients will come to you as soon as they come to know about your SMS reseller service.

    Bulk SMS Service Coimbatore |
    OTP SMS Coimbatore | Service Implicit Coimbatore

    ReplyDelete

Create a REST API with Spring Boot

In this post, I will explain how to create a simple a REST API with Spring Boot Spring Boot Spring Boot is a framework that provides inbuil...