OneLogin has the capability to allow a user to remotely reset their password via SMS. Using a Twilio account, OneLogin sends the user a temporary code that allows them to reset their password. This is a useful and secure feature that incorporates a degree of multi-factor authentication into a self-service password reset function.
Configuring this feature requires information from your Twilio account to be entered into OneLogin so that the coded SMS messages can be successfully sent out and received.
To configure SMS:
- Log into your Twilio account as an administrator.
- Go to Console Dashboard and copy your Account SID and AuthToken strings. You will enter these values into OneLogin, along with your Twilio phone number or short code.
- Log into your OneLogin account as an account owner. Go to Security -> Authentication Factors, click on New Auth Factor, and choose OneLogin SMS.
- Select which user field has the phone number that Twilio can send the SMS to. OneLogin defaults to User -> Phone Number.
- Enter in your Twilio AccountSID, Auth Token, and Number/Short code into their respective fields. If you are using Twilio Copilot, select the radio button for Message Service ID and enter in the Copilot SID. Note: Trial Twilio accounts may not have an SMS capable number available. Please contact Twilio for more details.
- Click Save.
- Go to Settings > Policies, and either select an existing policy or create a new one.
- In the policy under Sign In, scroll down to the Password Update section and enable the checkbox for OneLogin SMS. This will enable SMS password reset functionality for anyone associated with this specific security policy. Note: enabling SMS in this policy requires that the SMS MFA factor is enabled on the MFA section of the same user policy.
Note: The OneLogin SMS option will not appear unless you have configured a valid Twilio account.
When logging back in to OneLogin, you can test the functionality of the SMS reset password function by selecting Forgot password and then after entering your associated username or email address, select SMS to reset your password.
OneLogin immediately sends a text containing the password reset code to the user's mobile device. This code is valid for 24 hours.
Upon receiving this, the user enters it into the required OneLogin field to complete the password reset process.