Thursday, December 06, 2012 8:54 AM
I have a client with an interesting requirement... and I'm not even sure if its possible... so I'm putting the question out there...
We have SSPR configured for QA gate AND SMS OTP gate... It works brilliantly.... Now we have users who sometimes don't have their phone with them, or the battery is flat or or or some other excuse,... This raised the question: "Would it be possible at all to let the user decide which gate to use, QA gate OR SMS OTP gate" when resetting his password... ?
Any ideas welcome...
Thursday, December 06, 2012 4:12 PM
If the user (or attacker) can decide not to use the SMS OTP, then what is the point of using SMS OTP in the first place? "Enter your username and password to continue... or just your username and then click this button, maybe?"
That aside, I don't think there is any way to do this; the authentication gates are not open to much customization beyond what you see in the workflow dialogs. Remember that their behavior needs to be consistent between the web and desktop reset clients, and nearly all of the desktop client behavior is baked into DLLs deployed onto workstations.
- Marked As Answer by QRHughes Thursday, December 06, 2012 7:08 PM
Thursday, December 06, 2012 7:08 PM
Thx for your feedback. I know this is not best practise and that 2 factor auth is better than one... The customer is used to having only the Q&A gate, the upgrade to R2 provided for the sms features to be utilized... they only really need one gate, but wanted to offer the sms one as an alternative, and not as an added security or 2nd factor.
But I understand why its not possible... had to ask... :-)
Thursday, December 06, 2012 10:19 PMI've heard similar concerns, like "what if I'm on a plane and have wi-fi but not cell coverage?" My professional opinion is that negating 2-factor SMS authentication to support this very unusual case is a drastically less secure solution than simply recognizing that there exist some situations where users ought not be allowed to reset their forgotten passwords.