NetIQ Access Manager TOTP Authentication Token can be used a second time

  • 7024028
  • 22-Jul-2019
  • 22-Jul-2019


  • Access Manager 4.4.4
  • Access Manager 4.5


Test scenario:
  • TOTP Class, Method and Contract configured.
  • make sure you are registered for TOTP on the used IDP.
  • open two different browser clients (like FF and Chrome)
  • access the IDP base URL and login with your user name/password in both browsers selecting  the TOTP Contract from the Local Logins menu
  • In browser one enter the TOTP but copy it to the clipboard before hitting <ENTER>
  • go to the second browser and paste the same code here again.

  • Result: Both user sessions will get authenticated


  • This issue has been addressed to engineering and will be fixed with NAM 4.5 SP1

Additional Information

  • TOTP means Time-based "One-time Password"

    1. This password can be used once
    2. This password is valid usually for a time period of 30 Seconds

    The combination of 1 + 2 is that it is a password which can be only used once during a time period of 30 seconds. I would even suggest to add a property to allow setting the time

  • describes the TOTP mechanism and it states:

    "Note that a prover may send the same OTP inside a given time-step

    window multiple times to a verifier.  The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP."

    [Page 7]