Forum Discussion
Mush83
Nimbostratus
NimbostratusAPM OTP authentication
We are using APM for OTP authentication , The problem is that there are a number of users who on purpose make the first registration using the username and password, then after the OTP-code arrives, they open another tab in the browser and request a new login, then a new OTP-code is sent to them and so on, how can I limit this by not allowing a new OTP-code to be sent In the event that the first code is still active, for example, for a period of 3 minutes
- Torijori_Yamamada
Cirrus
Hi,
When APM creates an OTP code you can save it on a table with help of an iRule so if user try to create another session, you can able to check whether same user have a session already. If there is another OTP code, so you can return a message that says like "use OTP code sent previusly".
But this looks like an example of "wrong usage of computers" more than an APM problem. If i encounter same problem, i probably choose to put a time limit which restrict users have one session in a certain time of frame. When they open another one, i block them for a limited of time, so evolution continues and people learn.
Mush83Thank you for your reply, could you please let me know how to block a new session if there's already initiated one
- Nikoolayy1
MVP
You can use 'Max Sessions Per User' https://support.f5.com/csp/article/K03837405 and you may play with "Max In Progress Sessions Per Client IP" if the clients reach the F5 devices with dedicated ip addresses https://support.f5.com/csp/article/K29239233
Still for the other part you will need to have deep irule and apm knowedge to test the irule part as the F5 instructor courses for iRules and APM can help with that.
- Mush83
Please can someone help me to prevent users from using 2 factor auth for a certain period of 3 min in case the first otp code is sent to the user. I tried to find out the last user auth process using irule but without any benefit
