Advanced Authentication plug-in based integration with NAM allows to login without Email /SMS OTP after logging out and logging in again using same browser session

  • Document ID:7023160
  • Creation Date:09-Jul-2018
  • Modified Date:09-Jul-2018
    • Micro Focus Products:
      Access Manager (NAM)

Environment

Access Manager 4.4.0
Access Manager 4.4.1

Situation

NAM configured for first factor authentication and NAAF for second factor (Email OTP or SMS OTP) authentication. The NAM contract has 2 methods –

   1. Secure Name/Password Form – “Identifies User” is checked

   2. NAAF Method (Email OTP) – “Identifies User” is unchecked

 

When we access the protected resource, we are prompted for username/password followed by Email OTP or SMS OTP.

Now if we logout and login using the same browser session, we will be prompted for username/password followed by Email or SMS OTP page.

At this point, no OTP is sent to the user and if we click “Sign-in” without keying any OTP, the user is allowed to login.

Resolution

This issue has been resolved in NAM 4.4.2.

Upgrade to NAM 4.4.2.