Forum Discussion
JWhitesPro_1928
Cirrostratus
CirrostratusOTP can be bypassed by refreshing on the OTP prompt page..
Has anyone ran into this issue?
On 11.6HF6
If you're at a step in your access policy of prompting for a OTP and the user just refreshes the browser, it bypasses everything else in the polic...
JWhitesPro_1928Cirrostratus
CirrostratusI think it may be a bug...as I said it doesn't happen on mobile devices--and in the logs I see this right before it goes on to allow the user through even though they typed nothing in.
modules/Authentication/OTP/OTPVerifyAgent.cpp func: "getOTPVerifyUserInput()" line: 149 Msg: 64d04990: OTP_VERIFY Agent: getOTPVerifyUserInput(): unable to decrypt user password due to invalid ciphertext
- JWhitesPro_1928I have a ticket in with F5. I will update here when they respond in case anyone else runs into this.
- Michael_Koyfma1
Cirrus
If you can please message me your ticket number with support, it would be great - JWhitesPro_1928It may be something specific to the steps I have. I just created a very basic new policy and wasn't able to reproduce right away. I will message you the .
- JWhitesPro_1928I couldn't produce this on a new policy but I could reproduce on mine...if I changed my OTP login page password field from 'text' to 'password' it seemed to correct the behavior on windows pcs. The problem I guess is we have it set to text so the user can see the number they are entering...I couldn't reproduce that behavior with a new policy though and setting the password field to text...based on that log error it must be something else in the policy combined with that causing it on windows machines for me.
Seth_CooperEmployee
Could you post a screenshot of the VPE for that policy?