Symantec Access Management

  • Private Community

  • 1.  OTP wrong attempts count not to reset to 0 on re-issue of OTP

    Posted Jun 20, 2017 03:12 AM

    Hi Guys,

     

    we are implementing CA Advanced Authentication 8.2.1. and have below requirement

     

    We want to reissue the OTP to the user on his backup device, when first device mobile/email is not able to receive the OTP.

     

    • What we have observed in the Product is, whenever a re-issue OTP is triggered it resets the count to 0. lets say below:
    • auth policy lets say have 3 wrong attempts to lock out OTP credentials.
    • when user has entered 2 wrong attempts and clicked on re-issue OTP, AA generates new OTP and is sent to user mobile/email.
    • When OTP is re-issued the count of wrong attempts is set to 0, which becomes a continous loop that user can attempts infinite number of attempts by clicking the re-issue OTP.

     

    I need your strategic ideas to achieve the below:

     

    1. user tries 2 wrong attempts. (Lets say Auth Policy has disable user on 3 wrong OTP attempts )

    2. user triggers the re-issue OTP, but still the wrong attempts shouldn't be reset it count to 0.

    3. when user give 3rd wrong attempt, user should be locked for the OTP credential.

     

    Thanks,

    Ravi



  • 2.  Re: OTP wrong attempts count not to reset to 0 on re-issue of OTP

    Broadcom Employee
    Posted Jul 17, 2017 04:49 AM

    I think, the mentioned scenario looks like very valid. As this issue falls outside the scope of a bug, please raise an enhancement request in ca communities for this design change in product.



  • 3.  Re: OTP wrong attempts count not to reset to 0 on re-issue of OTP

    Broadcom Employee
    Posted Aug 15, 2017 06:54 PM

    The purpose of re-issue OTP in CA Strong Auth. is to generate new activation code which will be unique to the one which was generated earlier.  Obviously, when you generate a new activation code, number of attempt count will be reset to 0.

     

    You might be wondering why to have a re-issue when you have create OTP. The actually purpose of re-issue is to reset the validity period based on profile settings along with generating new activation code.

     

    In your case, you should not be using re-issue OTP call. 

    1. You might have to save the OTP somewhere (maybe, as part of user attributes) when a new OTP created.

    2. Fetch user details will get the user attributes and there you can retrieve the existing OTP.

    3. And re-send same OTP to a new device.

     

    Thanks

    DP



  • 4.  Re: OTP wrong attempts count not to reset to 0 on re-issue of OTP

    Posted Aug 16, 2017 03:29 AM

    Hi DP,

     

    Thanks for the reply.

    I think you are explaining interms of sample application .

     

    In real time statedata is available in AFM where OTP is present, we aren't saving OTP as a part of user attributes, as OTP is present in statedata, hence using the same to resend with some form parameter to trigger.

     

    Thanks,

    Ravi



  • 5.  Re: OTP wrong attempts count not to reset to 0 on re-issue of OTP

    Broadcom Employee
    Posted Aug 23, 2017 02:54 PM

    Hi Ravi - Thanks for the response.

     

     In case of AFM, are you getting same OTP or different OTP whenever you do re-issue. If you are getting different OTP, then it will reset to 0. If you are getting same OTP then the count will remain same and will lock after 'x' no. of attempts.

     If you are getting same OTP and still resetting to '0' then there is a bug.

     

    Thanks

    DP