IBM Security Verify

I am trying to implement this mechanism, and I am stuck on how to overcome ISVA restrictions:

• MAC will generate a password
• He must deliver the password to the customer using a delivery method.
  • By email
  • By SMS

Unfortunately, I don't have other options for the delivery method, or even create a custom delivery method.
In fact I need to deliver by SMS, but the service provider requires me to send a SOAP request!

So here are the options I thought on using:

• I was trying to use the properties available by SMS configuration. It would be great if I could specify the body of the request! Unfortunately I cannot! DEAD END!
• So, I thought on sending the SMS request to ISAM itself and eventually get it, and in a junction I could capture the request and then I could make the SOAP request! Perhaps by calling http://localhost/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:MySendSMS and providing the arguments in the header.
• Final alternative, is for me to develop the whole MAC, generate it, Send the SOAP request and deliver the OTP, create the interface for the user to type in the One-time password and validate it.

Are there any other alternatives? Which one is the best?

------------------------------
Joao Goncalves
Pyxis, Lda.
------------------------------

Hi Joao,

Does this help at all?

https://philipnye.com/2017/02/14/isam-create-a-new-otp-mechanism/

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Fri April 30, 2021 08:25 AM
From: Joao Goncalves
Subject: MAC One-time password

I am trying to implement this mechanism, and I am stuck on how to overcome ISVA restrictions:

• MAC will generate a password
• He must deliver the password to the customer using a delivery method.
  • By email
  • By SMS

Unfortunately, I don't have other options for the delivery method, or even create a custom delivery method.
In fact I need to deliver by SMS, but the service provider requires me to send a SOAP request!

So here are the options I thought on using:

• I was trying to use the properties available by SMS configuration. It would be great if I could specify the body of the request! Unfortunately I cannot! DEAD END!
• So, I thought on sending the SMS request to ISAM itself and eventually get it, and in a junction I could capture the request and then I could make the SOAP request! Perhaps by calling http://localhost/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:MySendSMS and providing the arguments in the header.
• Final alternative, is for me to develop the whole MAC, generate it, Send the SOAP request and deliver the OTP, create the interface for the user to type in the One-time password and validate it.

Are there any other alternatives? Which one is the best?

------------------------------
Joao Goncalves
Pyxis, Lda.
------------------------------