IBM Security Verify

 View Only

  • 1.  Configuring One-Time Password Delivery

    Posted Tue April 09, 2024 11:26 AM

    Hi team, I enabled One-Time Password policy in Access Control and attached it to a resource for testing.  When I access the resource I am getting prompted with a form like below as expected:

    How can I update my phone number and email to receive the one time password on those channels or even use the Time Based OTP option?  I am using container based installation of ISAM.

    Thank,

    Narayan 



    ------------------------------
    Narayan Verma
    ------------------------------


  • 2.  RE: Configuring One-Time Password Delivery

    IBM Champion
    Posted Wed April 10, 2024 08:23 AM

    Have you configured the AAC authentication mechanisms?

    https://www.ibm.com/docs/en/sva/10.0.7?topic=authentication-configuring-one-time-password-delivery-methods

    I know the email address used comes from the mail field on the user ldap object.  The SMS probably comes from the phone field.  I am not sure how to change where these values are pulled from, or if it is possible to change the locations using the default auth mechanisms.

    The TOTP settings are under the auth mechanisms.  You just need to register your TOTP device.  That used to be on:

    /mga/sps/mga/user/mgmt/html/device/device_selection.html

    Or whatever your junction to the RTSS is.  But it looks like TOTP, HOTP, and knowledge questions were removed from that page in later versions.  You can setup the access control policy to register the user if they are not already registered as well.

    I'll personally need to figure out where those registration options on the device_selection page went as I didn't realize those were taken off.  Maybe someone else can chime in and offer some guidance as well.

    PS:  I am curious about your delivery selection prompt.  I've only used the MFA auth policies one at a time.  Did you use one of the new aac authentication scenarios to set that up to get that selection?

    Matt



    ------------------------------
    Matt Jenkins
    ------------------------------

    Original Message


  • 3.  RE: Configuring One-Time Password Delivery

    Posted Fri April 12, 2024 04:25 PM
    Edited by Narayan Verma Fri April 12, 2024 04:32 PM

    Thanks Matt!

    I got access to a trial version of Twilio for SMS and of SMTP2Go for email respectively and configured the authentication mechanisms in ISAM.  How do I set up the email and phone properties for the users in ISAM?  Is there a script/command that I can use after connecting to the openldap container or is there any other way to do this?

    Also, I tried to the send the email and SMS to the default options coming up at runtime and they are failing.  Is there a way to review the logs to see which requests they are sending out to the SMS and SMTP vendor gateways?  Currently, even if SMS and emails worked for their current default target it will not help me test but I want to understand the troubleshooting steps to make them work for when I can actually update the phone and email for the user.

    Also, the "Register new authenticator" options under Authenticators and FIDO2/WebAuthn Registratrations at mga/sps/mga/user/mgmt/html/device/device_selection.html are not working for me.

    Thanks,

    Narayan 



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message