For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JWhitesPro_1928's avatar
JWhitesPro_1928
Icon for Cirrostratus rankCirrostratus
Jan 26, 2016

OTP can be bypassed by refreshing on the OTP prompt page..

Has anyone ran into this issue?   On 11.6HF6   If you're at a step in your access policy of prompting for a OTP and the user just refreshes the browser, it bypasses everything else in the polic...
BIG-IP Access Policy Manager (APM)
security
Lucas_Thompson_'s avatar
Lucas_Thompson_
Historic F5 Account
Jan 26, 2016

There is one more thing to consider here.

 

All of the "Auth" Policy Items expect that the password will be in an encrypted format. The Logon Page inputs can be "text" or "password". If you set it to "text", then the variable is set up to be unencrypted. If you set it to "password", then it's encrypted. The "Invalid Ciphertext" error message happens when whatever session variable that the Policy Item was trying to interrogate was NOT encrypted or was empty. If it was plaintext, the error would be produced.