Hi all,

We're configuring MMFA using Cookbook provided by Jon Harry and i'm missing steps that i need to do a workflow to configure MMFA to some users in my company and to do an enforcement to apply MMFA for this users.
Has anyone ever experienced this? and could help me about that?

Edit:
Ahh.. when i said "common workflow process", i mean that the user need to input credentials, such as username/password and 2FA right after.

We build a workflow like that:

However, we need to do that to some users and the MMFA works if these users have already configured mobile app IBM Security Verify.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal
------------------------------

Has anyone ever experienced this?

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal
------------------------------

Original Message:
Sent: Fri August 20, 2021 12:09 PM
From: Alexandre Gammaro
Subject: MMFA configuration using a common workflow process

Hi all,

We're configuring MMFA using Cookbook provided by Jon Harry and i'm missing steps that i need to do a workflow to configure MMFA to some users in my company and to do an enforcement to apply MMFA for this users.
Has anyone ever experienced this? and could help me about that?

Edit:
Ahh.. when i said "common workflow process", i mean that the user need to input credentials, such as username/password and 2FA right after.

We build a workflow like that:

However, we need to do that to some users and the MMFA works if these users have already configured mobile app IBM Security Verify.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal
------------------------------

Hi Alexandre,

If you want to add additional steps (or conditional logic + branching) around MMFA, you need to do it in the "initiate" flow... not in the "response" flow.

The flow that contains "Fingerprint Approval" and "MMFA Authenticator" (in response mode) is the flow that is followed by the mobile device when it is processing an authentication transaction.

You need to find the "initiate" flow which calls the "MMFA Authenticator" mechanism in "Initiate" mode.  This is the flow that the browser follows and so you can add username/pw or 2FA or branching logic into this flow just like you could for any other flow.

In the MMFA cookbook there are examples of extending the initiate flow (to choose whether to offer user presence or fingerprint for example).  You can see this acting in the initiate flow.  This cookbook was written before branching AAC policies were available so it uses a much more complex method to manage conditional logic (involving multiple policies hooked together).

In Verify Access 10.0.1.0 (where branching policies were introduced) there are some example branching policies.  I think at least one of these might already contain logic to select MMFA if available and to do something else if not.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Fri August 20, 2021 12:09 PM
From: Alexandre Gammaro
Subject: MMFA configuration using a common workflow process

Hi all,

We're configuring MMFA using Cookbook provided by Jon Harry and i'm missing steps that i need to do a workflow to configure MMFA to some users in my company and to do an enforcement to apply MMFA for this users.
Has anyone ever experienced this? and could help me about that?

Edit:
Ahh.. when i said "common workflow process", i mean that the user need to input credentials, such as username/password and 2FA right after.

We build a workflow like that:

However, we need to do that to some users and the MMFA works if these users have already configured mobile app IBM Security Verify.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal
------------------------------