IBM Security Verify

 View Only
  • 1.  IBM Security Verify Access - TOTP

    InnerCircle
    Posted Thu May 26, 2022 08:03 PM
    Hello Team,

    Wanted to create different template files and map them with different TOTP policy.
    Example -
    TOTPOnly Auth mechanism -> /totp/login_totponly.html
    TOTP_SMS Auth mechanism->/totp/login_totp_sms.html

    I didn't find anywhere in TOTP settings where I can map to a particular template files. By default it goes to /totp/login.html page. Appreciate. Please suggest.



    ------------------------------
    Bipin Dash
    ------------------------------


  • 2.  RE: IBM Security Verify Access - TOTP

    Posted Tue May 31, 2022 06:17 AM

    Why do you want to do this? The way that AAC policies work is that each mechanism acts independently. In a standard AAC policy you wouldn't prompt for both the TOTP and SMSOTP on the same page (which is the only thing I could think of that you might be trying to do). Instead you would prompt for just the TOTP, then in the case of the AAC policy that has TOTP followed by SMSOTP, the SMSOTP mechanism would be invoked (and send the SMS), then the page template for that mechanism would be displayed.

    If you wanted to create some kind of special authentication experience where multiple mechanisms were prompted for on the one page, then the way I would do that is to use a custom Infomap mechanism, and in the server-side Javascript supporting that mechanism I would use internal HTTP calls to the apiauthsvc (or starting from ISVA 10.0.3 there is a Java helper class AuthSvcClient for calling one AAC policy from another).

    I think the best thing to do here is explain your use cases in a bit more detail, including the desired user experience, and then someone can adivse on the way to achieve that. It's almost certain with ISVA you can build the experience you want - teasing out how might just be a matter of explaining your scenario first.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 3.  RE: IBM Security Verify Access - TOTP

    InnerCircle
    Posted Tue May 31, 2022 09:39 AM
    Thanks Shane for your response.

    Currently We show 2 types of authentication factors Text Message and Call Back to end users. We are doing it using a AAC extension module which calls external API for text message and call back.

    Recently as per NIST and Salesforce's compliance requirement, Text message and call back are not good 2nd factor option. Application teams are asking to show option TOTP to end user. There are 2 requirements - We can either show all 3 options or only 1 option (TOTP). We have different enterprise portals where the user interface's look and feel are different. So thought of if it's possible to create different template files and map it.


    ------------------------------
    Bipin Dash
    ------------------------------



  • 4.  RE: IBM Security Verify Access - TOTP

    Posted Tue May 31, 2022 04:32 PM
    I would use an Infomap, and validate the TOTP when needed via a second internal call over apiauthsvc to a custom policy with just TOTP in it. You have complete control over UI via the Infomap that way.

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 5.  RE: IBM Security Verify Access - TOTP

    InnerCircle
    Posted Wed June 01, 2022 03:45 PM
    Thanks again.

    I have a follow up question - what's the best way to restrict a user not to register multiple device for "TOTP" as there is no way server will no user scanned successfully or closed the browser.

    The way Google provides TOTP to one authenticator app and later on you can change to other autheticator app
    1- user scan qr code
    2- user prompted for PIN
    3- Google recognizes on successful PIN validation and keep a track that user successfully registered the totp.

    In ISAM, if I attach a totp policy, it directs prompt me to enter code. I found the qr code page and was able to display. But problem is the moment I open the QR page, the attribute "totpEnabled" is updated to "true". In this scenario, user might have closed the window so in that case it should be false.

    Am trying to implement the way google totp works,

    1- if "totpEnabled" is false (1st time would be always false), display QR code
    2- user scans QR code, then there would be "Next" button which will ask to enter PIN
    3-user successfully enters the PIN, Here after successful validation, I don't want to redirect the user to "Target" URL, 1st update the "totpEnabled" to true for successful scenario and redirect to Target URL. Otherwise "isTOTPEnabled" should be false

    In that point no. 3 - is there any inbuilt mapping rule or API call which updates "isTOTPEnabled" to true and I can utilize it before redirecting to Target page.
    Appreciate!

    ------------------------------
    Bipin Dash
    ------------------------------



  • 6.  RE: IBM Security Verify Access - TOTP

    Posted Wed June 01, 2022 06:01 PM
    Try either MechanismRegistrationHelper.isTotpEnrolled(username) or IDMappingExtUtils.retrieveTotpSecretKey (and check for non-null). I'm not certain which is best for you, but pretty confident one of them ought to help.

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------