IBM Security Verify

 View Only

  • 1.  MMFA fingerprint status of user

    Posted Fri October 22, 2021 12:46 AM
    Hello, My scenario is to show the user only those 2fa mechanism that he had already enrolled. But I am unable to check if user biometrics are registered or not using AAC policy. Is there any other way to do it ?

    ------------------------------
    afras khan
    ------------------------------


  • 2.  RE: MMFA fingerprint status of user

    Posted Fri October 22, 2021 04:58 AM
    Hi Afras,

    If you pull the SCIM record for a user (make an HTTP Callout to the SCIM interface in AAC) this will include information on the authenticators that the user has registered.  This code snippet might help:

    var mmfaData = userObj['urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator'];
if (mmfaData != null) {
  var authenticators = mmfaData.authenticators;
  var userPresenceMethods = mmfaData.userPresenceMethods;
  var fingerprintMethods = mmfaData.fingerprintMethods;
  IDMappingExtUtils.traceString("authenticators : "+JSON.stringify(authenticators));
  IDMappingExtUtils.traceString("userPresenceMethods : "+JSON.stringify(userPresenceMethods));
  IDMappingExtUtils.traceString("fingerprintMethods : "+JSON.stringify(fingerprintMethods));
}

    In recent versions of Verify Access I can see that there is also a helper class: com.tivoli.am.fim.registrations.MechanismRegistrationHelper
    which includes functions like getMmfaRegistrationsForUser(username).
    That might be the best approach.  Check out the JavaDoc for more information.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: MMFA fingerprint status of user

    Posted Fri October 22, 2021 07:00 AM

    I have checked the java docs but the function hasFingerprintEnrolled() in getMmfaRegistrationsForUser(username)  is not working. It might be an issue with my syntax

    var enrolledMethods = MechanismRegistrationHelper.getMmfaRegistrationsForUser(username);
    var f_check = enrolledMethods.hasFingerprintEnrolled();



    ------------------------------
    afras khan
    ------------------------------

    Original Message


  • 4.  RE: MMFA fingerprint status of user
    Best Answer

    Posted Fri October 22, 2021 07:16 AM
    Hi Afras,

    In your code above, enrolledMethods would be an array.  You need to check the hasFingerprintEnrolled() on each member.
    If you just wanted to check the first enrollment, you could use this code instead I think:

    var enrolledMethods = MechanismRegistrationHelper.getMmfaRegistrationsForUser(username);
    var firstEnrollment = enrolledMethods[0];
    var f_check = firstEnrollment.hasFingerprintEnrolled();

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 5.  RE: MMFA fingerprint status of user

    Posted Fri October 22, 2021 07:27 AM
    Hi Jon,

    Thank u so much it worked

    ------------------------------
    afras khan
    ------------------------------

    Original Message