Passcode Policy: MessageDesigner

This section describes the settings available on the MessageDesigner tab while maintaining a Passcode Policy. Using the MessageDesigner you can create your own message templates that define the content of passcode messages sent to your users during multi-factor authentication.

Both the content of SMS and e-mail messages can be defined, independent of each other.

IMPORTANT:

The number of message templates available on the MessageDesigner tab depend on the fact whether the setting Geo IP and IP History has been enabled on the General Settings page (cf. section 15.3, page 112).

If the setting Geo IP and IP History is disabled on the General Settings page, then the

MessageDesigner is in simple mode, allowing maintenance of a single message template. On the other hand, if the setting is enabled, then the MessageDesigner is in advanced mode, allowing maintenance of four different message templates. The difference between these modes is explained in the table below:

Mode Explanation

Simple Mode In simple mode, each Passcode Policy defines a single message template defining the content of the passcode messages sent to users. You can define different content of messages sent by SMS and e-mail, respectively – and you can define different message templates for different groups of users by assigning distinct Passcode Policies to them. However, it is not possible for a single user to receive different, contextual specific message content depending on the specific

authentication context. Such location and behavior aware differentiation according to the exact context is only possible, when the MessageDesigner is in the advanced mode.

Advanced Mode In advanced mode, each Passcode Policy defines 4 different message templates, where each template is used in different contexts. The 4 available message templates are:

Unknown IP:

This message template is used whenever a user requests an authentication, and the end-user IP is unknown (either because the authentication client in question is not able to collect end-user IP addresses, or because collection of end-user addresses has not been enabled in the SMS PASSCODE^® Configuration Tool – cf. section 20.2, page 392).

Learning Mode:

This message template is used whenever a user with Learning Mode activated requests an authentication (and the end-user IP is known). Please read section 15.8.2.3 (page 183) for more details regarding Learning Mode.

Trusted IP:

This message template is used whenever a user requests an authentication from an IP recognized as a Trusted IP (and Learning Mode is not active). Please read section 15.8.2.3 (page 183) for more details regarding the definition of a Trusted IP.

Non-Trusted IP:

This message template is used whenever a user requests an authentication from an IP recognized as a Non-Trusted IP (and Learning Mode is not active). Please read section 15.8.2.3 (page 183) for more details regarding the definition of a Non-Trusted IP.

Additionally, more types of dynamic content (macro placeholders) are available in advanced mode. For example, the message templates Learning Mode, Trusted IP and Non-Trusted IP allow having dynamic content like the name of the country that an authentication request originates from, or the name of the organization owning the end-user IP that the request originates from.

The main idea of having different message templates is to give the user the opportunity during an authentication attempt to recognize irregularities and to become alerted in this case. E.g. if the user gets the content of the Non-trusted IP message template, when this was not expected, or a message template shows a country or organization name, that was not expected.

The screen shot below shows how the MessageDesigner tab looks in simple mode:

The different sections are explained in the table below:

Setting Explanation

(a) SMS Message Message template for passcode messages sent by SMS (b) E-mail Subject Template for the subject of passcode messages sent by e-mail (c) E-mail Body Template for the body of passcode messages sent by e-mail (d) Allowed macros List of macro placeholders permitted in the message templates

Any static text entered into any of the message template fields is copied unchanged to the passcode messages sent to users. The section Allowed macros lists the placeholders that you

In advanced mode the MessageDesigner looks like this:

In this case the MessageDesigner shows 4 tabs (Trusted IP, Non-Trusted IP, Unknown IP and Learning Mode). Each tab allows you to define message templates for both SMS and e-mail, in the same manner as in simple mode. The different message templates are used under different circumstances, as explained previously.

Please note, that additional macro placeholders are available in advanced mode. On each of the 4 tabs the bottom section Allowed macros lists the placeholders that are permitted.

Another important feature, only present in advanced mode, is the possibility of having conditional text:

 Any text between the characters “{” and “}” is displayed conditionally in messages sent to users. The text is displayed only, when the country determined from the international prefix of the user’s phone number differs from the country determined from the end-user IP address that the authentication originates from.

In case a user has no phone number assigned, or no country could be determined from the originating end-user IP address, the countries are assumed to differ; i.e. the conditional text is displayed in this case.

You may ask what the purpose of having conditional text is. The idea is that most users will typically log in from an IP address located in their “home country”, i.e. the country

corresponding to the international prefix of their phone number. Since this is the typical scenario, it might be undesired to show repetitive information in the passcode messages each time. Especially getting informed about the name of the originating country during every such authentication attempt might be irrelevant. We want the users to get alerted, in case of irregularities. Hence it makes more sense to display the name of the originating country only when it deviates from the “home country”. This is exactly what you may achieve using conditional text.

Wrapping up the two different modes: Simple mode allows you to adapt the content of the

passcode messages per Passcode Policy, e.g. to localize the content or add specific required data, like for example the phone number to the internal helpdesk. Whereas advanced mode additionally allows you to send more detailed contextual information to the user, both depending on location and behavior, thereby giving the user the chance to get alerted in case of any irregularities.

WARNING: Consequences of long SMS message content (> 160 characters) When customizing the content of SMS messages (SMS Message templates) it is

recommended to keep the message content relatively short and concise. One thing to notice is that longer message content generally means longer message transmission time as well. But more importantly, if the resulting content of an SMS passcode message exceeds 160

characters, this will have the following consequences:

 If the SMS message is sent using a GSM modem, the message will be split into several messages²⁹ that are sent sequentially and merged by the receiving mobile phone into a single message again. This means

o Longer transmission time (because of several messages)

o Possibly higher transmission cost (because of several messages)

o No support for flash SMS, i.e. the message is sent as a standard SMS, even though the user was configured to receive a flash SMS

 If the SMS message is sent as a web service SMS, then only the first 160 characters are forwarded. The remaining message content is cut off.