IBM Security Verify

  • 1.  ISVA: Customise OTP Login Page

    Posted Fri September 03, 2021 08:50 AM
    Edited by Jon Harry Tue September 07, 2021 07:12 AM

    We are trying to obfuscate the user's email address and phone number in the OTP Login Page (templates\C\otp\login.html).

    This is part of a wider security requirement when resetting a user's forgotten main password we cannot give an clue's as to whether the user's email address is valid in ISAM ( so when an invalid logon is entered they are taken to exactly the same OTP login screen).

    In Shane Weeden's post (https://www.ibm.com/blogs/sweeden/protecting-entire-isam-webseal-site-with-multi-factor-authentication-using-stepup-login/), we can see in the OTP Delivery Selection it is possible to send @OTP_METHOD_LABEL@ to contain an obfuscated hint at the email/phone number. We are trying to achieve this on the actual OTP login page with no luck.

    We only seem to be able to pass @OTP_DELIVERY_ATTR@.

    Can anyone advise on how to achieve this simple requirement please?



  • 2.  RE: ISVA: Customise OTP Login Page

    Posted Thu September 09, 2021 01:47 PM
    Hi Vince,

    It maybe that there isn't a macro available with what you want in the context of the OTP challenge page.  However, you could use server-side scripting in the OTP challenge page template to process the value in the macro before including it in the final HTML returned to the browser.

    Inside the template page, you can add JavaScript between <% and %> delimiters.

    You could get the macro into a variable like this:

    var fullPhone = templateContext.macros["@OTP_DELIVERY_ATTR@"]);

    Then you could do some string manipulation to perform the obfuscation you require and save in another variable, obfuscatedPhone.

    At the end you can output the obfuscated version onto the page with:

    templateContext.response.body.write(obfuscatedPhone);

    Hopefully that will help.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: ISVA: Customise OTP Login Page

    Posted Mon September 13, 2021 09:55 AM

    Fabulous! Thanks Jon, that is indeed exactly what I was looking for. I wasn't aware of the server-side scripting capability in the templates!

    https://www.ibm.com/docs/en/sva/10.0.0?topic=tf-template-file-scripting

    It has worked a treat.



    ------------------------------
    vincent cassidy
    security consultant
    goon it ltd
    lasswade
    (131) 660-0356
    ------------------------------