IBM Security Verify

Expand all | Collapse all

MMFA configuration using a common workflow process

  • 1.  MMFA configuration using a common workflow process

    Posted Fri August 20, 2021 12:09 PM
    Edited by Alexandre Gammaro Tue August 24, 2021 12:22 PM
    Hi all,

    We're configuring MMFA using Cookbook provided by Jon Harry and i'm missing steps that i need to do a workflow to configure MMFA to some users in my company and to do an enforcement to apply MMFA for this users.
    Has anyone ever experienced this? and could help me about that?

    Edit:
    Ahh.. when i said "common workflow process", i mean that the user need to input credentials, such as username/password and 2FA right after.

    We build a workflow like that:

    However, we need to do that to some users and the MMFA works if these users have already configured mobile app IBM Security Verify.

    Regards,

    ------------------------------
    Alexandre Gammaro
    CyberSecurity Especialist
    Triscal
    ------------------------------


  • 2.  RE: MMFA configuration using a common workflow process

    Posted Tue August 24, 2021 12:24 PM
    Has anyone ever experienced this?

    ------------------------------
    Alexandre Gammaro
    CyberSecurity Especialist
    Triscal
    ------------------------------



  • 3.  RE: MMFA configuration using a common workflow process

    Posted Fri September 17, 2021 09:16 AM
    Hi Alexandre,

    If you want to add additional steps (or conditional logic + branching) around MMFA, you need to do it in the "initiate" flow... not in the "response" flow.

    The flow that contains "Fingerprint Approval" and "MMFA Authenticator" (in response mode) is the flow that is followed by the mobile device when it is processing an authentication transaction.

    You need to find the "initiate" flow which calls the "MMFA Authenticator" mechanism in "Initiate" mode.  This is the flow that the browser follows and so you can add username/pw or 2FA or branching logic into this flow just like you could for any other flow.

    In the MMFA cookbook there are examples of extending the initiate flow (to choose whether to offer user presence or fingerprint for example).  You can see this acting in the initiate flow.  This cookbook was written before branching AAC policies were available so it uses a much more complex method to manage conditional logic (involving multiple policies hooked together).

    In Verify Access 10.0.1.0 (where branching policies were introduced) there are some example branching policies.  I think at least one of these might already contain logic to select MMFA if available and to do something else if not.

    Jon.


    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------