IBM Security Verify

 View Only
  • 1.  ISVA: Customise OTP Login Page

    Posted Fri September 03, 2021 08:50 AM
    Edited by Jon Harry Tue September 07, 2021 07:12 AM

    We are trying to obfuscate the user's email address and phone number in the OTP Login Page (templates\C\otp\login.html).

    This is part of a wider security requirement when resetting a user's forgotten main password we cannot give an clue's as to whether the user's email address is valid in ISAM ( so when an invalid logon is entered they are taken to exactly the same OTP login screen).

    In Shane Weeden's post (https://www.ibm.com/blogs/sweeden/protecting-entire-isam-webseal-site-with-multi-factor-authentication-using-stepup-login/), we can see in the OTP Delivery Selection it is possible to send @OTP_METHOD_LABEL@ to contain an obfuscated hint at the email/phone number. We are trying to achieve this on the actual OTP login page with no luck.

    We only seem to be able to pass @OTP_DELIVERY_ATTR@.

    Can anyone advise on how to achieve this simple requirement please?



  • 2.  RE: ISVA: Customise OTP Login Page

    Posted Thu September 09, 2021 01:47 PM
    Hi Vince,

    It maybe that there isn't a macro available with what you want in the context of the OTP challenge page.  However, you could use server-side scripting in the OTP challenge page template to process the value in the macro before including it in the final HTML returned to the browser.

    Inside the template page, you can add JavaScript between <% and %> delimiters.

    You could get the macro into a variable like this:

    var fullPhone = templateContext.macros["@OTP_DELIVERY_ATTR@"]);

    Then you could do some string manipulation to perform the obfuscation you require and save in another variable, obfuscatedPhone.

    At the end you can output the obfuscated version onto the page with:

    templateContext.response.body.write(obfuscatedPhone);

    Hopefully that will help.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: ISVA: Customise OTP Login Page

    Posted Mon September 13, 2021 09:55 AM

    Fabulous! Thanks Jon, that is indeed exactly what I was looking for. I wasn't aware of the server-side scripting capability in the templates!

    https://www.ibm.com/docs/en/sva/10.0.0?topic=tf-template-file-scripting

    It has worked a treat.



    ------------------------------
    vincent cassidy
    security consultant
    goon it ltd
    lasswade
    (131) 660-0356
    ------------------------------



  • 4.  RE: ISVA: Customise OTP Login Page

    Posted Fri January 28, 2022 03:11 PM
    Hi Vince, Hi Jon

    I am in the same case. Actually, I'd like to obfuscate the phone number on the user's browser. Could you send me the js template that has the macro @OTP_DELIVERY_ATTR@


    best regards

    BOURI Mohamed
    IAM Security Specialist

    ------------------------------
    Mohamed BOURI
    ------------------------------



  • 5.  RE: ISVA: Customise OTP Login Page

    Posted Fri January 28, 2022 03:45 PM
    Hi Mohamed, happy to share Jon's excellent suggestion

    In our case we send the OTP out by both email address and sms. We amended the following file to cater for our requirement and obfuscate the phone number: -
    /aac/template_files/C/authsvc/authenticator/macotp/login.html






  • 6.  RE: ISVA: Customise OTP Login Page

    Posted Mon January 31, 2022 03:36 AM
    Edited by vincent cassidy Mon January 31, 2022 03:37 AM
      |   view attached
    login.html attached

    ------------------------------
    vincent cassidy
    security consultant
    goon it ltd

    ------------------------------

    Attachment(s)

    html
    login.html   6 KB 1 version