Using SMS for MFA
There are two methods to send SMS: over HTTP (via SMS Proxy), or over SMPP (via SMSC).
Instead of using the Kron PAM mobile app, OTPs can be generated by Kron PAM and sent via SMS.
To adjust the MFA SMS Settings:
- Navigate to Administration > System Config Man.
- Enter 2fa in the Parameter Name field and click the Search button.
- Set the value of the iga.2fa.sms.http.body, iga.2fa.sms.http.headers, iga.2fa.sms.http.secret.body, iga.2fa.sms.http.url, iga.2fa.sms.smpp.body, iga.2fa.sms.smpp.secret.body, iga.2fa.sms.http.timeout and iga.2fa.token.timestep parameters.
Non-administrator users can use the MFA they will use when they gain access, from both SMS and Mobile Applications. In addition, SMS activations can be done by users themselves. In this way, only SMS or mobile applications can be used.
To activate SMS for users with admin rights:
- Navigate to Administration > 2FA Provisioning > User Group Management.
- Activate SMS by clicking Enable SMS in the SMS column on the line of each user group.
To activate SMS for users with user rights:
- Navigate to Administration > 2FA Provisioning > View Barcode > SMS.
- SMS Configuration pop-up opens. Select true from the Enable SMS dropdown. (The Inherit from group is inherited from the User Group property.)
Note on MFA SMS Logic:
The preference of each user is dominant. When otpSmsEnabled is updated in the User Group Properties, the properties of the group members are not updated.
MFA SMS sending logic is as follows:
If otpSmsEnabled is defined in the user property, its value is used (no lookup for user group properties).
If otpSmsEnabled is NOT defined in the user property, SMS is sent when at least one of the user's groups has the otpSmsEnabled property as true.
The combo box values are a) Inherit from the group, b) false, and c) true. If no otpSmsEnabled property exists in the user properties, the Inherit from group appears selected when the SMS Configuration popup opens.