Hi David,
As you have discovered, the TOTP registration is independent from the "Mobile PUSH" registration. During the initialization of the IBM Verify App, it uses its authority from the user (OAuth Access Token) to register keys for MMFA factors (User Presence, Fingerprint/Face) *and* to obtain the TOTP secret for the user.
When deleting the MMFA registration from the devices screen, you are removing the MMFA Factors and OAuth grant but you are not invalidating the TOTP secret.
To invalidate the TOTP secret you need to specifically do this independently from the removal of the MMFA device.
If you have an end user browser session, you can use a call like this:
curl -H "Cookie: PD-S-SESSION-ID=1_2_1_4HUzNfV5qNYet......" -X "DELETE" https://webseal/mga/sps/mga/user/mgmt/otp/totpIf you have v9.0.7.0 (or later) I think you could also use SCIM (as user or admin) to update the user's
totpEnrolled boolean in
urn:ietf:params:scim:schemas:extention:isam:1.0:OTP schema.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Tue August 04, 2020 01:19 PM
From: David Vicenteño
Subject: Access manager removing authenticator devices.
After registering a device to use IBM Verify mobile app in the device selection page OTP authentication works fine, but If I remove the authenticator device in the device selection page, the user still can use the OTP code showed by the device to authenticate.
Is there any way to avoid user can use that otp code to authenticate if there are not devices registered in the device selection page?
Any help will be appreciated. Regards.
------------------------------
David Vicenteño
------------------------------