IBM Security Verify

 View Only
  • 1.  (MMFA) After restoring a export of the HVDB the users can't use the Verify Mobile App

    Posted Sat June 19, 2021 04:24 PM
    Hi all!

    Right now I'm facing a problem with our MMFA implementation.
    We had a failure a few days ago that corrupt the internal HVDB database of our ISAM cluster. Due to this failure we opt to finally move the HVDB DB out of the cluster.

    The latest backup of this database it's from a previous snapshot take like a month ago on the primary master appliance. The import of the DB using the scripts provided by the export process works just fine in a DB2 11 database. But now, after the import none of the users that have enrolled their phones can use the 2FA, the ISAM send the request to the enrolled mobile, but this never reach the phone.

    This it's the image of an affected user:


    It's there any way to recover from this situation?

    Any help will be appreciated. 

    Best Regards,

    Hernan

    ------------------------------
    Hernan Dario Arredondo Rivera
    ------------------------------


  • 2.  RE: (MMFA) After restoring a export of the HVDB the users can't use the Verify Mobile App

    Posted Sun June 20, 2021 03:45 AM

    Hi Hernan,

    My guess, based on getting an error on the initial account screen, is that MMFA app is not able to query transactions.

    Usually I'd ask about connectivity here but given the DB change it's more likely a data issue (as you said).

    When an authenticator registers it gets an OAuth grant with an access token and refresh token. You'd see the error you're getting if the grant is missing or refresh token is expired.

    Can you use admin or end user tools to check for grants?  You should be able to see tokens and expiry dates.


    Did you see any errors in DB2 logs for the import?  Maybe that would point to an issue that prevented data from importing correctly?

    In the end though I suspect you're going to need a support ticket to resolve this. They will be able to analyse the DB and figure out what is missing.

    Jon. 



    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: (MMFA) After restoring a export of the HVDB the users can't use the Verify Mobile App

    Posted Mon June 21, 2021 05:09 PM
    Hi Jon, thanks for your response.

    It's not a data problem or a import problem, all the export and import process goes as expected with no errors. In fact, the problem it's that the refresh token send by the phone does not match with the token stored in the HVDB. I think this is because the refresh token change every time the user ask for a new auth token. So, when I restore the, let's said "old" DB backup, the users cannot use the Verify App cause the refresh token has been changed during the time between the backup and the restoration. It's this correct or a expected behavior?

    It's there a way when the refresh token remains the same for all the auth grant time? 

    In case that help, this it's the config of my API Definition on ISAM:




    ------------------------------
    Hernan Dario Arredondo Rivera
    ------------------------------



  • 4.  RE: (MMFA) After restoring a export of the HVDB the users can't use the Verify Mobile App

    Posted Tue June 22, 2021 04:17 AM
    Hi Hernan,

    Of course, you are correct; I'm not sure how I didn't remember this before.

    In OAuth, a refresh token is a single-use token.  When it is used, the current one is expired (removed from DB) and a new one is created.  This is done for security and (as far as I know) is not configurable behaviour.

    An access token has a relatively short lifetime.   When it expires, the refresh token is used to get a new access token.
    It's also quite common for applications to discard access tokens when they terminate and use refresh token on restart to get a new one.

    The above behaviour means that when you restore a DB backup, any OAuth client that has performed a refresh since the backup will no longer have a valid refresh token.  There's no way to recover this without user re-authorizing the client.  For an MMFA authenticator, this means re-registering the authenticator.  Obviously the older the backup, the more clients will be affected.

    Sorry to be the bearer of bad news but I think that your users are going to need to delete and re-register their authenticators.  I don't see any other option.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------