NetIQ Access Manager TOTP Authentication Token can be used a second time

  • Document ID:7024028
  • Creation Date:22-Jul-2019
  • Modified Date:22-Jul-2019
    • Micro Focus Products:
      Access Manager (NAM)

Environment

  • Access Manager 4.4.4
  • Access Manager 4.5

Situation

Test scenario:
  • TOTP Class, Method and Contract configured.
  • make sure you are registered for TOTP on the used IDP.
  • open two different browser clients (like FF and Chrome)
  • access the IDP base URL and login with your user name/password in both browsers selecting  the TOTP Contract from the Local Logins menu
  • In browser one enter the TOTP but copy it to the clipboard before hitting <ENTER>
  • go to the second browser and paste the same code here again.

  • Result: Both user sessions will get authenticated

Resolution

  • This issue has been addressed to engineering and will be fixed with NAM 4.5 SP1

Additional Information

  • TOTP means Time-based "One-time Password"

    1. This password can be used once
    2. This password is valid usually for a time period of 30 Seconds

    The combination of 1 + 2 is that it is a password which can be only used once during a time period of 30 seconds. I would even suggest to add a property to allow setting the time


  • https://tools.ietf.org/html/rfc6238 describes the TOTP mechanism and it states:

    "Note that a prover may send the same OTP inside a given time-step

    window multiple times to a verifier.  The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP."

    [Page 7]