NAM configured for first factor authentication and NAAF for second factor (Email OTP or SMS OTP) authentication. The NAM contract has 2 methods â
1. Secure Name/Password Form â âIdentifies Userâ is checked
2. NAAF Method (Email OTP) â âIdentifies Userâ is unchecked
When we access the protected resource, we are prompted for username/password followed by Email OTP or SMS OTP.
Now if we logout and login using the same browser session, we will be prompted for username/password followed by Email or SMS OTP page.
At this point, no OTP is sent to the user and if we click âSign-inâ without keying any OTP, the user is allowed to login.
This issue has been resolved in NAM 4.4.2.
Upgrade to NAM 4.4.2.