Hi Team,

I wanted to configure the AAC policy in such a way that it should allow TOTP and SMS OTP as step-up authentication.
However, most of the standard mechanism shows Email and SMS in combination or TOTP only or all.

I have tried modifying the OTPGetMethods to set below but still have confusion about which authentication type should be used.

var useSMS = true;
var useEmail = false;
var useTOTP = true;
var useHOTP = false;
var useRSA = false;

How I can just show TOTP and SMS OTP only? Anu suggestions?

Thank you.

Regards,
Prashant Narkhede


------------------------------
Prashant Narkhede
------------------------------

Hi Prashant,

You can leverage the new Branching Authentication Policies feature of IBM Security Verify Access (v10) to implement this. The OOTP scenario with the name of 'Generic' can be configured to use two branches (SMS OTP and TOTP) so that only these options would be presented to the user.

If you are on a lower version of ISAM, then you can refer to below link of Shane Weeden's blog on configuring branching authentication policies using InfoMap to implement your use case

https://www.ibm.com/blogs/sweeden/branching-authentication-policy-isam-advanced-access-control/

Regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Original Message:
Sent: Fri January 15, 2021 12:14 PM
From: Prashant Narkhede
Subject: ISVA - How to configure step up with SMS OTP and TOTP option only?

Hi Team,

I wanted to configure the AAC policy in such a way that it should allow TOTP and SMS OTP as step-up authentication.
However, most of the standard mechanism shows Email and SMS in combination or TOTP only or all.

I have tried modifying the OTPGetMethods to set below but still have confusion about which authentication type should be used.

var useSMS = true;
var useEmail = false;
var useTOTP = true;
var useHOTP = false;
var useRSA = false;

How I can just show TOTP and SMS OTP only? Anu suggestions?

Thank you.

Regards,
Prashant Narkhede


------------------------------
Prashant Narkhede
------------------------------

Hi Jahanzaib,

Thank you for your suggestions.

I could able to do it with the method of modifying OTPGetMethods and using One Time Password.
Also, I have tried the branching that you suggested. It is much easier and a good option to go with.

I wanted to know whether it is possible to use this branching option with the Federation Access Policy.
Is there any way I can configure it with a script that we write for Federation Access Policy? 

Regards,
Prashant Narkhede

------------------------------
Prashant Narkhede
------------------------------

Original Message:
Sent: Fri January 15, 2021 02:06 PM
From: Jahanzaib Sarwar
Subject: ISVA - How to configure step up with SMS OTP and TOTP option only?

Hi Prashant,

You can leverage the new Branching Authentication Policies feature of IBM Security Verify Access (v10) to implement this. The OOTP scenario with the name of 'Generic' can be configured to use two branches (SMS OTP and TOTP) so that only these options would be presented to the user.

If you are on a lower version of ISAM, then you can refer to below link of Shane Weeden's blog on configuring branching authentication policies using InfoMap to implement your use case

https://www.ibm.com/blogs/sweeden/branching-authentication-policy-isam-advanced-access-control/

Regards,

------------------------------
Jahanzaib Sarwar

Original Message:
Sent: Fri January 15, 2021 12:14 PM
From: Prashant Narkhede
Subject: ISVA - How to configure step up with SMS OTP and TOTP option only?

Hi Team,

I wanted to configure the AAC policy in such a way that it should allow TOTP and SMS OTP as step-up authentication.
However, most of the standard mechanism shows Email and SMS in combination or TOTP only or all.

I have tried modifying the OTPGetMethods to set below but still have confusion about which authentication type should be used.

var useSMS = true;
var useEmail = false;
var useTOTP = true;
var useHOTP = false;
var useRSA = false;

How I can just show TOTP and SMS OTP only? Anu suggestions?

Thank you.

Regards,
Prashant Narkhede


------------------------------
Prashant Narkhede
------------------------------

Hi Prashant,

I haven't personally tried it yet with Federation Access Policy, but I believe it should work.

Kindly can you shed some more light on the scenario or use case that you want to implement?

Regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Original Message:
Sent: Sat January 16, 2021 03:49 AM
From: Prashant Narkhede
Subject: ISVA - How to configure step up with SMS OTP and TOTP option only?

Hi Jahanzaib,

Thank you for your suggestions.

I could able to do it with the method of modifying OTPGetMethods and using One Time Password.
Also, I have tried the branching that you suggested. It is much easier and a good option to go with.

I wanted to know whether it is possible to use this branching option with the Federation Access Policy.
Is there any way I can configure it with a script that we write for Federation Access Policy? 

Regards,
Prashant Narkhede

------------------------------
Prashant Narkhede

Original Message:
Sent: Fri January 15, 2021 02:06 PM
From: Jahanzaib Sarwar
Subject: ISVA - How to configure step up with SMS OTP and TOTP option only?

Hi Prashant,

You can leverage the new Branching Authentication Policies feature of IBM Security Verify Access (v10) to implement this. The OOTP scenario with the name of 'Generic' can be configured to use two branches (SMS OTP and TOTP) so that only these options would be presented to the user.

If you are on a lower version of ISAM, then you can refer to below link of Shane Weeden's blog on configuring branching authentication policies using InfoMap to implement your use case

https://www.ibm.com/blogs/sweeden/branching-authentication-policy-isam-advanced-access-control/

Regards,

------------------------------
Jahanzaib Sarwar

Original Message:
Sent: Fri January 15, 2021 12:14 PM
From: Prashant Narkhede
Subject: ISVA - How to configure step up with SMS OTP and TOTP option only?

Hi Team,

I wanted to configure the AAC policy in such a way that it should allow TOTP and SMS OTP as step-up authentication.
However, most of the standard mechanism shows Email and SMS in combination or TOTP only or all.

I have tried modifying the OTPGetMethods to set below but still have confusion about which authentication type should be used.

var useSMS = true;
var useEmail = false;
var useTOTP = true;
var useHOTP = false;
var useRSA = false;

How I can just show TOTP and SMS OTP only? Anu suggestions?

Thank you.

Regards,
Prashant Narkhede


------------------------------
Prashant Narkhede
------------------------------