IBM Verify

Hi all,

We would like to limit the numbers of SMS OTP generations.
Is there a parameter to manage it or Is it necessary to modify OTPDeliver mapping rule to achieve this goal ?
Thanks for your help


------------------------------
Romuald Blondel
------------------------------

Hi Romuald,

I am not quite sure if mean to limit the number of characters used in OTP code generation or limit the numbers where to text (SMS) the OTP codes to.

The latter you will need to do some extra coding, i.e. in the sending part. There is no information given by you on how you currently send the text messages, through an SMS gateway or an email system perhaps, this will determine where you have to code.

For the OTP code generator depends what mechanism you use. For example the TOTP One-time Password mechanism has a property that controls how long the generated One time Password should be (default length is 6) . The MAC One-time Password has the same length property, but also you can tell from what characters set it can be composed of (not limited to digits). 

Hope this helps.

------------------------------
Peter Gierveld
Security Architect
SecurIT
Amsterdam
------------------------------

Original Message:
Sent: Mon April 29, 2019 04:43 AM
From: Romuald Blondel
Subject: How to limit OTP SMS generation ?

Hi all,

We would like to limit the numbers of SMS OTP generations.
Is there a parameter to manage it or Is it necessary to modify OTPDeliver mapping rule to achieve this goal ?
Thanks for your help


------------------------------
Romuald Blondel
------------------------------

Hi,

This is the screen we use.
By default , it's possible to regenerate indefinitely sms OTP
How to limit tries to regenerate sms OTP ?
Thanks for your help

------------------------------
Romuald Blondel
------------------------------

Original Message:
Sent: Tue April 30, 2019 07:42 AM
From: Peter Gierveld
Subject: How to limit OTP SMS generation ?

Hi Romuald,

I am not quite sure if mean to limit the number of characters used in OTP code generation or limit the numbers where to text (SMS) the OTP codes to.

The latter you will need to do some extra coding, i.e. in the sending part. There is no information given by you on how you currently send the text messages, through an SMS gateway or an email system perhaps, this will determine where you have to code.

For the OTP code generator depends what mechanism you use. For example the TOTP One-time Password mechanism has a property that controls how long the generated One time Password should be (default length is 6) . The MAC One-time Password has the same length property, but also you can tell from what characters set it can be composed of (not limited to digits). 

Hope this helps.

------------------------------
Peter Gierveld
Security Architect
SecurIT
Amsterdam

Original Message:
Sent: Mon April 29, 2019 04:43 AM
From: Romuald Blondel
Subject: How to limit OTP SMS generation ?

Hi all,

We would like to limit the numbers of SMS OTP generations.
Is there a parameter to manage it or Is it necessary to modify OTPDeliver mapping rule to achieve this goal ?
Thanks for your help


------------------------------
Romuald Blondel
------------------------------

Hi Romuald,

Now I understand, you want to limit the number of times that a user can click the [Regenerate] button to avoid the extra associated costs.

There is no setting for this.

To implement this it will definitely need some coding by knowledgable people at several places in AAC. You would have to keep track of the number of retries in a counter and insert that counter in the session. Then when the max limit is reached, you would have to tell the user and block this method for further use until reset by an administrator (otherwise the user will keep retrying and sms messages keep on being send).

This needs updates to some of the OTP infomap scripts, and to one or more template pages etc. 

You could raise a PMR/feature request (or submit a case) to IBM where you request this very useful setting for inclusion in the product.

Peter

------------------------------
Peter Gierveld
Security Architect
SecurIT
Amsterdam
------------------------------

Original Message:
Sent: Thu May 02, 2019 08:01 AM
From: Romuald Blondel
Subject: How to limit OTP SMS generation ?

Hi,

This is the screen we use.
By default , it's possible to regenerate indefinitely sms OTP
How to limit tries to regenerate sms OTP ?
Thanks for your help

------------------------------
Romuald Blondel

Original Message:
Sent: Tue April 30, 2019 07:42 AM
From: Peter Gierveld
Subject: How to limit OTP SMS generation ?

Hi Romuald,

I am not quite sure if mean to limit the number of characters used in OTP code generation or limit the numbers where to text (SMS) the OTP codes to.

The latter you will need to do some extra coding, i.e. in the sending part. There is no information given by you on how you currently send the text messages, through an SMS gateway or an email system perhaps, this will determine where you have to code.

For the OTP code generator depends what mechanism you use. For example the TOTP One-time Password mechanism has a property that controls how long the generated One time Password should be (default length is 6) . The MAC One-time Password has the same length property, but also you can tell from what characters set it can be composed of (not limited to digits). 

Hope this helps.

------------------------------
Peter Gierveld
Security Architect
SecurIT
Amsterdam

Original Message:
Sent: Mon April 29, 2019 04:43 AM
From: Romuald Blondel
Subject: How to limit OTP SMS generation ?

Hi all,

We would like to limit the numbers of SMS OTP generations.
Is there a parameter to manage it or Is it necessary to modify OTPDeliver mapping rule to achieve this goal ?
Thanks for your help


------------------------------
Romuald Blondel
------------------------------

Hi Peter,

Thanks for your answer and confirmation
So at this time we could no avoid some coding in mapping rule and html page
I agree about opening a RFE for this feature
Thank for your help

Romuald

------------------------------
Romuald Blondel
------------------------------

Original Message:
Sent: Thu May 02, 2019 09:17 AM
From: Peter Gierveld
Subject: How to limit OTP SMS generation ?

Hi Romuald,

Now I understand, you want to limit the number of times that a user can click the [Regenerate] button to avoid the extra associated costs.

There is no setting for this.

To implement this it will definitely need some coding by knowledgable people at several places in AAC. You would have to keep track of the number of retries in a counter and insert that counter in the session. Then when the max limit is reached, you would have to tell the user and block this method for further use until reset by an administrator (otherwise the user will keep retrying and sms messages keep on being send).

This needs updates to some of the OTP infomap scripts, and to one or more template pages etc. 

You could raise a PMR/feature request (or submit a case) to IBM where you request this very useful setting for inclusion in the product.

Peter

------------------------------
Peter Gierveld
Security Architect
SecurIT
Amsterdam

Original Message:
Sent: Thu May 02, 2019 08:01 AM
From: Romuald Blondel
Subject: How to limit OTP SMS generation ?

Hi,

This is the screen we use.
By default , it's possible to regenerate indefinitely sms OTP
How to limit tries to regenerate sms OTP ?
Thanks for your help

------------------------------
Romuald Blondel

Original Message:
Sent: Tue April 30, 2019 07:42 AM
From: Peter Gierveld
Subject: How to limit OTP SMS generation ?

Hi Romuald,

I am not quite sure if mean to limit the number of characters used in OTP code generation or limit the numbers where to text (SMS) the OTP codes to.

The latter you will need to do some extra coding, i.e. in the sending part. There is no information given by you on how you currently send the text messages, through an SMS gateway or an email system perhaps, this will determine where you have to code.

For the OTP code generator depends what mechanism you use. For example the TOTP One-time Password mechanism has a property that controls how long the generated One time Password should be (default length is 6) . The MAC One-time Password has the same length property, but also you can tell from what characters set it can be composed of (not limited to digits). 

Hope this helps.

------------------------------
Peter Gierveld
Security Architect
SecurIT
Amsterdam

Original Message:
Sent: Mon April 29, 2019 04:43 AM
From: Romuald Blondel
Subject: How to limit OTP SMS generation ?

Hi all,

We would like to limit the numbers of SMS OTP generations.
Is there a parameter to manage it or Is it necessary to modify OTPDeliver mapping rule to achieve this goal ?
Thanks for your help


------------------------------
Romuald Blondel
------------------------------

Hi,

You might take a look at the recently introduced "rate limiting" feature to cope with this.
See for example this article: https://www.ibm.com/blogs/security-identity-access/web-reverse-proxy-rate-limiting/
Or this video: https://www.securitylearningacademy.com/course/view.php?id=3560

Kind regards, Peter

------------------------------
Peter Volckaert
Senior Sales Engineer
Authentication and Access
IBM Security
------------------------------

Original Message:
Sent: Fri May 03, 2019 04:41 AM
From: Romuald Blondel
Subject: How to limit OTP SMS generation ?

Hi Peter,

Thanks for your answer and confirmation
So at this time we could no avoid some coding in mapping rule and html page
I agree about opening a RFE for this feature
Thank for your help

Romuald

------------------------------
Romuald Blondel

Original Message:
Sent: Thu May 02, 2019 09:17 AM
From: Peter Gierveld
Subject: How to limit OTP SMS generation ?

Hi Romuald,

Now I understand, you want to limit the number of times that a user can click the [Regenerate] button to avoid the extra associated costs.

There is no setting for this.

To implement this it will definitely need some coding by knowledgable people at several places in AAC. You would have to keep track of the number of retries in a counter and insert that counter in the session. Then when the max limit is reached, you would have to tell the user and block this method for further use until reset by an administrator (otherwise the user will keep retrying and sms messages keep on being send).

This needs updates to some of the OTP infomap scripts, and to one or more template pages etc. 

You could raise a PMR/feature request (or submit a case) to IBM where you request this very useful setting for inclusion in the product.

Peter

------------------------------
Peter Gierveld
Security Architect
SecurIT
Amsterdam

Original Message:
Sent: Thu May 02, 2019 08:01 AM
From: Romuald Blondel
Subject: How to limit OTP SMS generation ?

Hi,

This is the screen we use.
By default , it's possible to regenerate indefinitely sms OTP
How to limit tries to regenerate sms OTP ?
Thanks for your help

------------------------------
Romuald Blondel

Original Message:
Sent: Tue April 30, 2019 07:42 AM
From: Peter Gierveld
Subject: How to limit OTP SMS generation ?

Hi Romuald,

I am not quite sure if mean to limit the number of characters used in OTP code generation or limit the numbers where to text (SMS) the OTP codes to.

The latter you will need to do some extra coding, i.e. in the sending part. There is no information given by you on how you currently send the text messages, through an SMS gateway or an email system perhaps, this will determine where you have to code.

For the OTP code generator depends what mechanism you use. For example the TOTP One-time Password mechanism has a property that controls how long the generated One time Password should be (default length is 6) . The MAC One-time Password has the same length property, but also you can tell from what characters set it can be composed of (not limited to digits). 

Hope this helps.

------------------------------
Peter Gierveld
Security Architect
SecurIT
Amsterdam

Original Message:
Sent: Mon April 29, 2019 04:43 AM
From: Romuald Blondel
Subject: How to limit OTP SMS generation ?

Hi all,

We would like to limit the numbers of SMS OTP generations.
Is there a parameter to manage it or Is it necessary to modify OTPDeliver mapping rule to achieve this goal ?
Thanks for your help


------------------------------
Romuald Blondel
------------------------------

Hi Peter,

Thank YOU for this interesting solution.
We will consider it when we upgrade to 9.0.6
Regards,



------------------------------
Romuald Blondel
------------------------------

Original Message:
Sent: Mon May 06, 2019 02:40 AM
From: Peter Volckaert
Subject: How to limit OTP SMS generation ?

Hi,

You might take a look at the recently introduced "rate limiting" feature to cope with this.
See for example this article: https://www.ibm.com/blogs/security-identity-access/web-reverse-proxy-rate-limiting/
Or this video: https://www.securitylearningacademy.com/course/view.php?id=3560

Kind regards, Peter

------------------------------
Peter Volckaert
Senior Sales Engineer
Authentication and Access
IBM Security

Original Message:
Sent: Fri May 03, 2019 04:41 AM
From: Romuald Blondel
Subject: How to limit OTP SMS generation ?

Hi Peter,

Thanks for your answer and confirmation
So at this time we could no avoid some coding in mapping rule and html page
I agree about opening a RFE for this feature
Thank for your help

Romuald

------------------------------
Romuald Blondel

Original Message:
Sent: Thu May 02, 2019 09:17 AM
From: Peter Gierveld
Subject: How to limit OTP SMS generation ?

Hi Romuald,

Now I understand, you want to limit the number of times that a user can click the [Regenerate] button to avoid the extra associated costs.

There is no setting for this.

To implement this it will definitely need some coding by knowledgable people at several places in AAC. You would have to keep track of the number of retries in a counter and insert that counter in the session. Then when the max limit is reached, you would have to tell the user and block this method for further use until reset by an administrator (otherwise the user will keep retrying and sms messages keep on being send).

This needs updates to some of the OTP infomap scripts, and to one or more template pages etc. 

You could raise a PMR/feature request (or submit a case) to IBM where you request this very useful setting for inclusion in the product.

Peter

------------------------------
Peter Gierveld
Security Architect
SecurIT
Amsterdam

Original Message:
Sent: Thu May 02, 2019 08:01 AM
From: Romuald Blondel
Subject: How to limit OTP SMS generation ?

Hi,

This is the screen we use.
By default , it's possible to regenerate indefinitely sms OTP
How to limit tries to regenerate sms OTP ?
Thanks for your help

------------------------------
Romuald Blondel

Original Message:
Sent: Tue April 30, 2019 07:42 AM
From: Peter Gierveld
Subject: How to limit OTP SMS generation ?

Hi Romuald,

I am not quite sure if mean to limit the number of characters used in OTP code generation or limit the numbers where to text (SMS) the OTP codes to.

The latter you will need to do some extra coding, i.e. in the sending part. There is no information given by you on how you currently send the text messages, through an SMS gateway or an email system perhaps, this will determine where you have to code.

For the OTP code generator depends what mechanism you use. For example the TOTP One-time Password mechanism has a property that controls how long the generated One time Password should be (default length is 6) . The MAC One-time Password has the same length property, but also you can tell from what characters set it can be composed of (not limited to digits). 

Hope this helps.

------------------------------
Peter Gierveld
Security Architect
SecurIT
Amsterdam

Original Message:
Sent: Mon April 29, 2019 04:43 AM
From: Romuald Blondel
Subject: How to limit OTP SMS generation ?

Hi all,

We would like to limit the numbers of SMS OTP generations.
Is there a parameter to manage it or Is it necessary to modify OTPDeliver mapping rule to achieve this goal ?
Thanks for your help


------------------------------
Romuald Blondel
------------------------------