OneLogin has the capability to allow a user to remotely reset their password via SMS. How this works is that by using a properly configured Twilio account, OneLogin sends the user a short-lived code that allows them to reset their password upon logging into their OneLogin account. This is a useful and secure feature to have that incorporates a degree of multi-factor authentication into a self-service password reset function.
Configuring this feature requires information from Twilio to be entered into OneLogin so that the coded SMS messages can be successfully sent out and received.
To configure SMS OTP, do the following:
- Log into your Twilio account as an administrator.
- Go to Dev Tools > Test Credentials and copy down the AccountSID and AuthToken strings.
Also, if you don't have your Twilio number, go to Numbers and copy that.
- Log into your OneLogin account as an account owner and go to Settings > Account Settings, and select the SMS tab.
- Select which user field will hold the phone number Twilio will send the SMS to.
OneLogin defaults to User -> Phone Number
- Enter in your Twilio AccountSID, Authentication Token, and Number into their respective fields. Note: Trial Twilio accounts may not have SMS capable number available for user. Please contact Twilio for more details.
- Click Save.
- Go to Settings > Policies, and either create a new policy or select an existing one.
- Select OneLogin SMS.
This will enable SMS password reset functionality for anyone associated with this specific security policy.
Note: This Policy option will not appear until you have configured a valid Twilio account.
Now when logging back in to OneLogin, you can test the functionality of the SMS reset password function by selecting Forgot password and then upon entering your associated email address, you'll be prompted to select a method of resetting your password.
Here we'll select SMS to immediately send a text containing the password reset code to your mobile device. This code will be valid for 24 hours.
Upon receiving this, enter it into the required OneLogin field to complete the password reset process.