Configuring email OTP

To configure sending OTPs via email:

  1. Configure an SMTP server as described in Configuring SMTP server connection for event notifications.

  2. Specify the following:

    • Name: The name that will appear in RAS Console.

    • (Optional) Description: The description of MFA.

    • Themes: The Themes that use the MFA.

    • Display name: The name that will appear in Parallels Client.

    • OTP Lenght: The length of an OTP. Can be between 4 and 20 numbers.

    • OTP Validity: The time period when an OTP is valid. Can be between 30 and 240 seconds.

    • User Prompt: Specify the text the user will see when prompted with an OTP dialog.

    • E-mail subject: The subject of an email containing an OTP.

    • E-mail content: The content of an email containing an OTP.

    • Allow users to enroll using external emails: Select this option if you want users to enroll using external email addresses. You can store external emails in RAS Storage or an AD Attribute. If you want to store emails in an Active Directory Custom attribute, you must specify the name of the attribute in the field AD Custom Attribute. You can make sure that you have the permission necessary for storing email addresses in an AD attribute by clicking Validate.

    • The User enrollment section allows you to limit user enrollment if needed. You can allow all users to enroll without limitations (the Allow option), allow enrollment until the specified date and time (Allow until), or completely disable enrollment (the Do not allow option). If enrollment is disabled due to an expired time frame or because the Do not allow option is selected, a user trying to log in will see an error message saying that enrollment is disabled and advising the user to contact the system administrator. When you restrict or disable enrollment, Google authenticator or other TOTP provider can still be used, but with added security which would not allow further user enrollment. This is a security measure to mitigate users with compromised credentials to enroll in MFA.

    • Show information to unenrolled users: Select whether unenrolled users can see the The user name or password is incorrect error when they enter incorrect credentials:

      • Never (most secure): Unenrolled users see a TOTP prompt instead of the error.

      • If enrollment is allowed: Unenrolled users see the error if user enrollment is allowed. Otherwise, they see a TOTP prompt.

      • Always: Unenrolled users always see the error.

Last updated

© 2024 Parallels International GmbH. All rights reserved.