Hi Vince,
It maybe that there isn't a macro available with what you want in the context of the OTP challenge page. However, you could use server-side scripting in the OTP challenge page template to process the value in the macro before including it in the final HTML returned to the browser.
Inside the template page, you can add JavaScript between <% and %> delimiters.
You could get the macro into a variable like this:
var fullPhone = templateContext.macros["@OTP_DELIVERY_ATTR@"]);Then you could do some string manipulation to perform the obfuscation you require and save in another variable, obfuscatedPhone.
At the end you can output the obfuscated version onto the page with:
templateContext.response.body.write(obfuscatedPhone);Hopefully that will help.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Fri September 03, 2021 04:11 AM
From: vincent cassidy
Subject: ISVA: Customise OTP Login Page
We are trying to obfuscate the user's email address and phone number in the OTP Login Page (templates\C\otp\login.html).
This is part of a wider security requirement when resetting a user's forgotten main password we cannot give an clue's as to whether the user's email address is valid in ISAM ( so when an invalid logon is entered they are taken to exactly the same OTP login screen).
In Shane Weeden's post (https://www.ibm.com/blogs/sweeden/protecting-entire-isam-webseal-site-with-multi-factor-authentication-using-stepup-login/), we can see in the OTP Delivery Selection it is possible to send @OTP_METHOD_LABEL@ to contain an obfuscated hint at the email/phone number. We are trying to achieve this on the actual OTP login page with no luck.
We only seem to be able to pass @OTP_DELIVERY_ATTR@.
Can anyone advise on how to achieve this simple requirement please?