IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Retrieving TOTP secret keys

    Posted Mon April 03, 2023 08:29 AM

    Hello everybody,

    We are using ISAM (AAC) to store TOTP secret keys for our users. Everything is working as intended, our users are able to enroll and strongly authenticate using their TOTP client.

    We would like to export those TOTP secret keys, but we are unable to understand the format of the table USER_ATTRIBUTES_VALUES that stores the totp secret keys. It seems that they are always starting with "{obf2}" and that there is some base64 encoding that is used, but we are unable to transform back to the secret key.

    Does somebody know what transformation steps are performed in order for ISAM to store the secret totp key ?


    Thanks for any help !



    ------------------------------
    André Leruitte
    ------------------------------


  • 2.  RE: Retrieving TOTP secret keys

    Posted Tue April 04, 2023 03:15 AM


    Hi André!

    I don't know the steps to get from the obfuscated value of the secret in the database to the OTP secret in clear. By the way: "obf" stands for obfuscated.
    I'm curious what you are trying to achieve. I suspect you are planning to migrate from one database to another?

    There is a way to get the secret keys in clear by using the REST interface. See this link: https://www.ibm.com/docs/en/sva/10.0.5?topic=control-rest-services-otp-secret-keys. From the documentation I understood that these calls retrieve the secret of the logged-in user. In other words, at any time, a user can get ISVA to retrieve his/her secret - either in text or as a QR. 

    Also programmatically there's IDMappingExtUtils that has methods to retrieve, delete and store TOTP/HOTP secret key. For example, there's retrieveTotpsecretkey(java.lang.string user) but I have no experience on how to use that.

    Hopefully other members can help here.

    Cheers
     - Peter





    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------

    Original Message


  • 3.  RE: Retrieving TOTP secret keys

    Posted Wed April 05, 2023 01:37 AM

    We don't publish information on the obfuscation algorithm - my advice would be to batch the extraction via a custom InfoMap using the 

    IDMappingExtUtils.retrieveTotpSecretKey(String username)

    API as Peter pointed out. If there are such a number that this becomes impractical, then best reach out to support to see what they suggest an alternative might be.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 4.  RE: Retrieving TOTP secret keys

    Posted Fri April 07, 2023 04:40 AM

    Hello,

    Thanks to both of you for your tips.

    We were aware of both methods you suggested, but we were hoping there was another one we were not aware of.
    I think that if we do need to implement this, we will try the custom infomap "batch".

    Is there any InfoMap execution maximum time that could interfere ? 


    @Peter Volckaert we are evaluating what it would take to migrate TOTP management from ISAM to our dedicated backend (EAI). Today the authentication methods for our customer accounts are split between our EAI and ISAM (for TOTP and FIDO2), and we are thinking about moving everything to our EAI to minimize complexity.





    ------------------------------
    André Leruitte
    ------------------------------

    Original Message