Advanced Authentication plug-in based integration with NAM allows to login without Email /SMS OTP after logging out and logging in again using same browser session

  • 7023160
  • 09-Jul-2018
  • 09-Jul-2018


Access Manager 4.4.0
Access Manager 4.4.1


NAM configured for first factor authentication and NAAF for second factor (Email OTP or SMS OTP) authentication. The NAM contract has 2 methods –

   1. Secure Name/Password Form – “Identifies User” is checked

   2. NAAF Method (Email OTP) – “Identifies User” is unchecked


When we access the protected resource, we are prompted for username/password followed by Email OTP or SMS OTP.

Now if we logout and login using the same browser session, we will be prompted for username/password followed by Email or SMS OTP page.

At this point, no OTP is sent to the user and if we click “Sign-in” without keying any OTP, the user is allowed to login.


This issue has been resolved in NAM 4.4.2.

Upgrade to NAM 4.4.2.