OTP can be bypassed by refreshing on the OTP prompt page..
Has anyone ran into this issue?
On 11.6HF6
If you're at a step in your access policy of prompting for a OTP and the user just refreshes the browser, it bypasses everything else in the policy and sends the user to the "allow" branch.
I see this behavior when the "Prompt" for passcode page has only "fallback" branch that goes to an OTP Verify. The OTP verify has "OTP has passed" and has "OTP has failed" and "fallback". Both OTP failed and fallback point to a "failure" which results in deny...however if the user just hits refresh the access policy logs that the user followed the successful branch out of the OTP verify.
If I manually at the start of a policy place a variable assign that sets session.otp.verify.last.authresult = expr { 0 } then it stops this behavior...but the issue appears to be when there isn't a value for that session variable it just passes on as success instead of 'fallback' which it seems like it should...I couldn't reproduce this on a mobile browser....but I could on chrome and IE on several different machines.