Forum Discussion
AltostratusHow to perform email OTP before authentication?
We are wanting to perform an email OTP verify prior to authenticating the user against AD.
I've got some way towards this by placing an OTP macro near the start of a flow (using an AD Query to get user's email), but have come up against a couple of problems:
- OTP uses the password session variable - this seems to break AD auth, as OTP now sits in between the logon page and the AD Auth node
- If the user needs to change their password, it hangs on the last Logon Page, which is the OTP one (rather than displaying one where you can actually change your password).
The only work around I can see is;
- Logon Page (username only + captcha)
- AD Query (get email)
- OTP Macro
- Logon Page (password only - could add read-only username here)
- AD Auth
But I'd rather not change/damage the UX (currently asks for username/password/captcha on first screen).
Any ideas would be greatly appreciated!
Thanks,
Ben.
iaineNacreous
Hi
Using the variable assign object, are you able to save the AD password after the initial login page into a different APM variable. Then, after the OTP auth has occurred, put another variable assign object in to rewrite the session.logon.last.password variable back to the original AD password value that you saved earlier.
BenN_NZThanks - yes, this is the conclusion I came to too - however then we run into further issues whereby if the AD password is incorrect, it reverts to the OTP login to rectify the password (because the OTP is the last logon form). The only resolution I've found so far is to only allow a single attempt and fail the session if the user/pass fails to auth. Not ideal - but I can't see a way around it.
- iaine
How about on your initial AD Auth object, you only set it to try to Auth once. You then set on the fallback path a macro to re-present a login page to allow for the creds to be added again...?
- BenN_NZ
This actually flows through nicely - thanks for the idea Iain. The only thing I'd like to do to polish it off is inject an error into the [second] logon form before it's shown, indicating the auth error.
- BenN_NZ
For anyone else wanting to do this - I was able to pre-populate the error in the second logon form by using a Variable Assignment block, setting:
session.logon.page.retry = Text 1
session.logon.page.errorcode = Text 1000
Flows through nicely now, with a logical UX, yet still OTP before auth - primarily to protect password changing.