IBM Security Verify

 View Only
  • 1.  option to create multiple TOTP One-time Password (Type) mechanisms

    Posted Mon June 24, 2019 11:13 AM
    We have a requirement to have multiple Key URL's (secret key url) since we support multiple brands (VW, Audi, Porsche etc).

    When i was looking at the drop down of mechanism under authentication of AAC, i do not see any option for TOTP One-time Password (Type).

    Is there a way to create multiple mechanism for TOTP One-time Password (Type) and generate multiple Secret Key URL's for different brands

    e.g:

    Secret Key URL: otpauth://totp/VW%20Dealer%20Access:@USER_NAME@?secret=@SECRET_KEY@&issuer=VW%20Dealer%20Access

    we want to have more urls' to cover brand specific QR codes when people scan for e.g VW Dealer Access, Audi Dealer access

    ------------------------------
    Mubashir Naseer
    Volkswagen of America
    Detroit MI
    ------------------------------


  • 2.  RE: option to create multiple TOTP One-time Password (Type) mechanisms

    Posted Tue July 02, 2019 12:33 PM
    Mubashir,

    I don't believe it is possible to have multiple TOTP/HOTP secret keys for the same user within a single ISAM environment.  Sorry.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: option to create multiple TOTP One-time Password (Type) mechanisms

    IBM Champion
    Posted Fri October 13, 2023 03:47 AM
    Edited by André Leruitte Fri October 13, 2023 04:00 AM

    Hi Jon and Mubashir,

    Thank you both for having this question answered here, it avoids me sinking hours in trying to find a solution to this problem.

    Anyway, I wanted to add that 4 years later, this still does not seem possible. It's really a pity, because it is going to force us to implement TOTP management ourselves outside of ISAM, to be able to customize those url's depending on which IDP needs to use a TOTP mecanism.

    It's too bad that parameter cannot be overriden at the Auth Policy level, it would have been a really simple solution :



    ------------------------------
    André Leruitte
    ------------------------------



  • 4.  RE: option to create multiple TOTP One-time Password (Type) mechanisms

    Posted Wed October 25, 2023 09:51 AM

    Hi Andre, 

    When it comes to registration, you can get creative, and certainly customise the registration flow. 

    Here is an example I wrote up recently where you essentially generate the TOTP secret, and have the user validate it before saving it. 
    https://philipnye.com/2023/05/10/customize-the-enroll-totp-qr-code/

    The subtle difference in what you're describing might entail saving the TOTP secret to a different location than the default saving location. Ie as an LDAP attribute or otherwise. And using the 'correct' source when you want to validate. 

    Feel free to reach out if you want to discuss this further. 



    ------------------------------
    Philip Nye
    IBM
    Gold Coast
    ------------------------------



  • 5.  RE: option to create multiple TOTP One-time Password (Type) mechanisms

    IBM Champion
    Posted Fri October 27, 2023 10:34 AM

    Hi Philip,

    Thanks a lot for your reply and your blog post.

    It's more or less the solution we finally implemented :

    • Enrollment Infomap is called from the SPA application
    • new HMAC key is generated in the infomap
    • key is returned to the caller 
    • the SPA application generates the QrCode client-side, based on the secret retrieved in the call to the infomap, and the issuer matching the application

    In the end, the issue I was running into was quite simple to workaround :)



    ------------------------------
    André Leruitte
    ------------------------------