Is it possible to change the OTP length, expiration time for OTP in phone factor technical profile via custom policy?
What is the metadata name in such case?
You cannot change the SMS OTP properties with the phone factor technical profile nor the SSPR technical profiles. Only if you use the OTP technical profile and a custom OTP delivery mechanism, then you can adjust OTP expiry, length, character set.
Related
I am building a custom policy for B2C Sign up.
We currently do not use B2C to do sign ups, but im looking to migrate. Part of this process would require the use of an email and a phone number.
The phone number ONLY would need to be verified.
So after the user signs up for an account an SMS or phone call would verify that they own that phone number.
Looking in the documentation, i see verify phone number, but its for sign up with a phone number. I dont want to do that.
I just want the phone number to verify during the sign up process.
Any insight?
You could use the PhoneFactor technical profile.
The "PhoneFactor-InputOrVerify" flow asks for a phone number if not present and verifies or just verifies if present.
Use the default starter pack. Just add a precondition to skip the phonefactor step if newUser claim does not exist. That will trigger MFA prompt only on sign up.
I am looking for solution/code/custom policy to customize/update email which is being sent over user email address when ever he is being instate MFA for his account login
SAMPLE FORMAT BELOW WHICH NEED TO BE UPDATED OVER EMAIL which is being sent to customer along with OTP
the subject and email format of the OTP for the customer onboarding process should be:
Subject of the email: XYZ Company registration - [OTP number] for authenticating user
Body of the email:
Thank you for initiating the process of registering to our XYZ company online. Please use the [OTP number] to validate your email address.
In case you have not raised this request, please contact our Customer Service Centre on 18000 077 or email Customer.Helpdesk#xyz.au and we will be more than happy to assist you.
Regards,
Use custom email in Azure Active Directory B2C (Azure AD B2C) to send customized email to users that sign up to use your applications. By using the third-party email provider SendGrid, you can use your own email template and From: address and subject, as well as support localization and custom one-time password (OTP) settings.
Custom email verification requires the use of a third-party email provider like SendGrid, Mailjet, or SparkPost, a custom REST API, or any HTTP-based email provider (including your own)
Note: Azure Active Directory B2C offers two methods to define how users interact with your applications: through predefined user flows or through fully configurable custom policies.
For more details refer this document:
Currently I am capturing the users email and phone when they sign up. Once they are signed up, they log in with their email and password. I would like to change this so they login with their phone and password instead of their email address. What update do I need to make in my custom policies to achieve this?
There is GitHub sample Where you can login users solely on Phone Number and MFA via SMS or Phone Call. This approach is passwordless. Hope this will helps your query
We are using Azure B2C for our Identity provider, but it is clear that users are finding the process a bit clunky. Mostly this appears to be because of the synchronous nature of the signup process.
We do want to verify the email address and MFA phone number, but ideally not at the point at which they are entered. Is there a way that we can leverage a graph API call to deal with this, or use a custom policy to achieve the same?
We would also like a clear separation of the signup/signin process. Such that a user can be directed to these pages directly and they can also be branded.
You might be able to implement this with two custom policies:
A sign-up policy that prompts the new customer for the email address and the phone number and creates a new user with these marked as unverified. This custom policy can be invoked at the Account Creation step.
A verification policy that verifies the unverified email address, via the built-in email message, and then the unverified phone number, via the built-in phone call or text message. This custom policy can be invoked at the Application Complete step.
Note that it isn't the sign-up policy that sends the verification code but the verification policy that sends it. I don't know if this is acceptable for the desired experience but the custom policy that sends the verification code must be the same one that validates it.
(There is an alternate flow where after the sign-up policy has completed, your end application sends a custom email message, containing a verification link, which when opened by the end user is validated by your end application and then the verification policy -- minus the email verification step since the email address has already been verified -- is started).
If this proposed solution is interesting to you, then I can attempt to provide the full details of the custom policies based on one of the custom policy starter packs.
Updated on 15 February 2019
I've published the following custom policy samples to this GitHub repository. The second and third policies implement the above flow.
sign_up_sign_in
Sign-up for a local account using an e-mail address and a phone number. The end user is prompted for verification of the e-mail address and the phone number.
Sign-in for a local account using an e-mail address or a phone number. If the e-mail address hasn't been verified, then the end user is prompted for verification of the e-mail address. If the phone number hasn't been verified, then the end user is prompted for verification of the phone number.
sign_up_without_verification
Sign-up for a local account using an e-mail address and a phone number. The end user is not prompted for verification of the e-mail address or the phone number.
sign_in_with_verification
Sign-in for a local account using an e-mail address or a phone number. If the e-mail address hasn't been verified, then the end user is prompted for verification of the e-mail address. If the phone number hasn't been verified, then the end user is prompted for verification of the phone number.
My requirement is to integrate one time password (OTP) for registration form with mobile number as additional field. So that at the time of registration user will receive one time password (OTP) on mobile number. By submitting correct OTP the User will get validated and confirmed for registration. How to achieve the same?
Regards,
Niraj Kumar
You need make change on registration form and register controller. First post, validate form and trigger sms service for OTP. Save OTP and phone number to session and show OTP field on register form. In second post validate form OTP with session OTP.