IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

OTP Token Timeout

  • 1.  OTP Token Timeout

    Posted Fri October 18, 2019 03:04 PM
    Hello,

    We are using OTP for second factor authentication.  We leverage the "MAC One-time Password" authentication mechanism to handle the OTP work (sending emails, render html, etc).  The authentication mechanism has an attribute of Store Entry Lifetime which handles the OTP session timeout.  Now, we have a button that allows the user to regenerate the OTP.  We are finding out that when we do this, the token lifetime did not reset to clock.  It appears the time remaining to submit the second token (or third, etc) is driven from the amount of time left from the first token.

    Is there a way to reset the OTP session when we regenerate a new token?

    Thanks!

    ------------------------------
    Troy
    ------------------------------


  • 2.  RE: OTP Token Timeout

    Posted Mon October 21, 2019 11:58 AM
    Would anyone have any feedback?

    ------------------------------
    Troy Burkle
    ------------------------------

    Original Message


  • 3.  RE: OTP Token Timeout

    Posted Tue October 22, 2019 12:06 AM

    Hi Troy,

    Have you made changes to the default template pages regenerate button?

    It performs the following request:

    POST /mga/sps/authsvc?StateId=...
    Content-Type: application/x-www-form-urlencoded
    operation=generate&Regenerate=Regenerate

    With this request, I would expect that the OTP would be stored with the correct lifetime.

    What error do you get back in this flow?



    ------------------------------
    Jasmine SMITH
    ------------------------------

    Original Message


  • 4.  RE: OTP Token Timeout

    Posted Wed October 23, 2019 07:28 PM
    Hi Jasmine,

    Long time no speak! 

    I tried using different hidden input form values based on what you said and nothing worked.  I have tried the following:

    <form id="regenform" method="POST" action="" autocomplete="off" style="margin-top: 15px;">

    Combination as you provided in your example:
      <input type="hidden" name="operation" value="generate" />
      <input type="hidden" name="Regenerate" value="Regenerate" />

    Single generate:
      <input type="hidden" name="operation" value="generate" />

    Single regenerate:
      <input type="hidden" name="Regenerate" value="Regenerate" />


    None of these form inputs would reset the token timeout.  They would timeout based on the first generated token time clock.

    Is there any way if you regenerate the token to reset that timer?

    ------------------------------
    Troy Burkle
    ------------------------------

    Original Message


  • 5.  RE: OTP Token Timeout

    Posted Wed October 23, 2019 07:44 PM
    Hi Troy,

    What is the specific error message that the user encounters during your testing? I suspect you may be hitting a retry manager error flow, not a OTP expiry flow.

    ------------------------------
    Jasmine Smith
    ------------------------------

    Original Message


  • 6.  RE: OTP Token Timeout

    Posted Thu October 24, 2019 09:59 AM
    Hi Jasmine,

    I don't think I am getting an error that I am aware of.  I haven't thought to check the logs because when I generate a new OTP, I still receive an email and I can plug that OTP into the maclogin.html file successfully.  So, I am not aware of any runtime errors.

    What I am seeing (and the business noticed) is when we generate a new OTP using the input below (see html below), the new OTP is only valid for the remainder of time from the first OTP. 

        <input type="hidden" name="operation" value="generate" />

    Steps to reproduce:
    • Set the MAC One-time Password authentication mechanism's "Store Entry Lifetime" to 600 seconds.  (deploy)
    • Login successfully...redirect to OTP.
    • I receive OTP token in email.  However, for this test case I don't submit it and wait 5 minutes.
    • I hit the "resend token" button which invokes the form post with hidden input values above.
    • I receive the new OTP and maclogin.html is updated correctly.  However, for this test case I submit it after 6 minutes (but before 10 minutes.
    • The result...I receive a message from RTSS that the token is expired.

    According to the business, they believe that the second token should be valid for 10 minutes (600 seconds), but it appears to be valid for 5 more minutes.  So we are wondering if there is a way to regenerate the token and reset the clock back to 10 minutes?  It doesn't seem to be an error but it seems more like normal runtime design.

     This has caused great confusion for the business.  


    ------------------------------
    Troy Burkle
    ------------------------------

    Original Message


  • 7.  RE: OTP Token Timeout

    Posted Thu October 24, 2019 10:09 AM
    Edited by Troy Burkle Thu October 24, 2019 10:20 AM
    I should also add, I was able to come up with a work around but it is not clean.  The MAC OTP page is attached to an AAC resource.  If I were to manually update the URL in my browser to match the resource, I did find out that a new OTP with a fresh 10 minute counter.  

    However, we are using maclogin for a few use cases.  I would not be able to hardcode the resource to the maclogin page.  I would have to somehow pass the resource to the maclogin page and use java script to populate the link url.  I am not a full time developer so a little out of my scope of experience.

    ------------------------------
    Troy Burkle
    ------------------------------

    Original Message


  • 8.  RE: OTP Token Timeout

    Posted Thu October 24, 2019 07:07 PM
    Hey Troy,

    After a bit more investigation it does look like this is an issue that will require a code fix. Are you able to open an IBM Support case?

    ------------------------------
    Jasmine Smith
    ------------------------------

    Original Message


  • 9.  RE: OTP Token Timeout

    Posted Thu October 24, 2019 07:16 PM
    Hi Jasmine,

    Just to confirm...this is a bug in the IBM code and not my html, right?  You need me to open a support case to resolve?

    Troy

    ------------------------------
    Troy Burkle
    ------------------------------

    Original Message


  • 10.  RE: OTP Token Timeout

    Posted Thu October 24, 2019 07:16 PM
    Hello Jasmine,

    I believe there's already a support case open for this issue. I'll contact you to discuss further.

    ------------------------------
    JACK YARBOROUGH
    ------------------------------

    Original Message


  • 11.  RE: OTP Token Timeout

    Posted Fri February 07, 2020 01:43 PM
    Edited by Gary Vacek Fri February 07, 2020 01:43 PM
    This issue will be corrected using APAR IJ20629 and will be delivered in version 9.0.8.0 of the IBM Security Access Manager product.

    ------------------------------
    Gary Vacek
    ------------------------------

    Original Message