Forum Discussion

BenN_NZ's avatar
BenN_NZ
Icon for Altostratus rankAltostratus
Jun 28, 2019

How to perform email OTP before authentication?

We are wanting to perform an email OTP verify prior to authenticating the user against AD.

 

I've got some way towards this by placing an OTP macro near the start of a flow (using an AD Query to get user's email), but have come up against a couple of problems:

  1. OTP uses the password session variable - this seems to break AD auth, as OTP now sits in between the logon page and the AD Auth node
  2. If the user needs to change their password, it hangs on the last Logon Page, which is the OTP one (rather than displaying one where you can actually change your password).

 

The only work around I can see is;

  • Logon Page (username only + captcha)
  • AD Query (get email)
  • OTP Macro
  • Logon Page (password only - could add read-only username here)
  • AD Auth

 

But I'd rather not change/damage the UX (currently asks for username/password/captcha on first screen).

 

Any ideas would be greatly appreciated!

 

Thanks,

Ben.

APM
application delivery
policy

5 Replies

Sort By
  • BenN_NZ's avatar
    BenN_NZ
    Icon for Altostratus rankAltostratus
    Jul 03, 2019

    For anyone else wanting to do this - I was able to pre-populate the error in the second logon form by using a Variable Assignment block, setting:

     

    session.logon.page.retry = Text 1

    session.logon.page.errorcode = Text 1000

     

    Flows through nicely now, with a logical UX, yet still OTP before auth - primarily to protect password changing.

  • iaine's avatar
    iaine
    Icon for Nacreous rankNacreous
    Jun 28, 2019

    Hi

     

    Using the variable assign object, are you able to save the AD password after the initial login page into a different APM variable. Then, after the OTP auth has occurred, put another variable assign object in to rewrite the session.logon.last.password variable back to the original AD password value that you saved earlier.

  • BenN_NZ's avatar
    BenN_NZ
    Icon for Altostratus rankAltostratus
    Jul 01, 2019

    Thanks - yes, this is the conclusion I came to too - however then we run into further issues whereby if the AD password is incorrect, it reverts to the OTP login to rectify the password (because the OTP is the last logon form). The only resolution I've found so far is to only allow a single attempt and fail the session if the user/pass fails to auth. Not ideal - but I can't see a way around it.

  • iaine's avatar
    iaine
    Icon for Nacreous rankNacreous
    Jul 01, 2019

    How about on your initial AD Auth object, you only set it to try to Auth once. You then set on the fallback path a macro ​to re-present a login page to allow for the creds to be added again...?

  • BenN_NZ's avatar
    BenN_NZ
    Icon for Altostratus rankAltostratus
    Jul 02, 2019

    This actually flows through nicely - thanks for the idea Iain. The only thing I'd like to do to polish it off is inject an error into the [second] logon form before it's shown, indicating the auth error.