Forum Discussion

JWhitesPro_1928's avatar
JWhitesPro_1928
Icon for Cirrostratus rankCirrostratus
Jan 26, 2016

OTP can be bypassed by refreshing on the OTP prompt page..

Has anyone ran into this issue?   On 11.6HF6   If you're at a step in your access policy of prompting for a OTP and the user just refreshes the browser, it bypasses everything else in the polic...
BIG-IP Access Policy Manager (APM)
security
JWhitesPro_1928's avatar
JWhitesPro_1928
Icon for Cirrostratus rankCirrostratus
Jan 26, 2016

 

The 'failure' on the "Prompt for passcode" was purely for troubleshooting.

 

  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Jan 26, 2016
    Anything before the Prompt for Passcode?
  • JWhitesPro_1928's avatar
    JWhitesPro_1928
    Icon for Cirrostratus rankCirrostratus
    Jan 26, 2016
    I will PM you my qkview and case.
  • JWhitesPro_1928's avatar
    JWhitesPro_1928
    Icon for Cirrostratus rankCirrostratus
    Jan 26, 2016
    I see that. I have that set so that the http-auth form pulls the correct field for clickatell...perhaps I can rename it...either way though on the variable assign before the "Prompt for Passcode" I just added session.logon.last.password and set it to something manually there and tried it again with the same result...it's strange that it doesn't do this on mobile devices or when i change that password field type....let me run through it a few more times.
  • JWhitesPro_1928's avatar
    JWhitesPro_1928
    Icon for Cirrostratus rankCirrostratus
    Jan 26, 2016
    I think you're right. I'm not sure why the mobile thing is different or the password field type makes a difference but by manually setting that variable back to something like '1' it keeps the behavior from happening.
  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Jan 26, 2016
    Awesome! I am not sure either at this point why the mobile or the type of input box makes it different. At least now you can configure around the issue.