F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator
Introduction Lab guide Phase 1: Token Generation Phase 2: Token verification Related Content
Introduction
In our walkthrough we are refreshing an existing time-based one-time password (TO...
Published May 08, 2023
Version 1.0
momahdy
Employee
Employee
dupapa
Nimbostratus
NimbostratusHello mmahdy!
Thanks for your sharing of those technical details!
I have some questions realted to your technical details:
- is the ga_code_submit another Logon page or even External Logon page
- if the TOTP validation fails, the APM evaluation process will terminate with Deny, which is ok for demo purpose 🙂 However, if I have to allow max three TOTP attempts, how can we realize it without restarting a brand new APM evaluation process?
that is, when the times of failuare is less than 3, the APM evaluation process should flow to the ga_code_submit again rather than the Deny ending.
for instance, the built-in OTP Verify with VPE supports max 3 attempts without terminating the ongoing APM evaluation process.