Sign in
 
HomeLibraryWikiLearnGalleryDownloadsSupportForumsBlogs
Note: Forums will be making significant UX changes to address key usability improvements surrounding search, discoverability and navigation. To learn more about these changes please visit the announcement which can be found HERE.
Resources for IT Professionals >
QA Gate vs. SMS OTP Gate

Answered QA Gate vs. SMS OTP Gate

  • Thursday, December 06, 2012 8:54 AM
     
     
    Sign In to Vote
    0

    Hi everyone,

    I have a client with an interesting requirement... and I'm not even sure if its possible... so I'm putting the question out there...

    We have SSPR configured for QA gate AND SMS OTP gate... It works brilliantly.... Now we have users who sometimes don't have their phone with them, or the battery is flat or or or some other excuse,... This raised the question: "Would it be possible at all to let the user decide which gate to use, QA gate OR SMS OTP gate" when resetting his password... ?

    Any ideas welcome...

    Thx

    Q

     

All Replies

  • Thursday, December 06, 2012 4:12 PM
     
     Answered
    Sign In to Vote
    0

    If the user (or attacker) can decide not to use the SMS OTP, then what is the point of using SMS OTP in the first place?  "Enter your username and password to continue... or just your username and then click this button, maybe?"

    That aside, I don't think there is any way to do this; the authentication gates are not open to much customization beyond what you see in the workflow dialogs.  Remember that their behavior needs to be consistent between the web and desktop reset clients, and nearly all of the desktop client behavior is baked into DLLs deployed onto workstations.

    • Marked As Answer by QRHughes Thursday, December 06, 2012 7:08 PM
    •  
     
  • Thursday, December 06, 2012 7:08 PM
     
     
    Sign In to Vote
    0

    Hey Steve,

    Thx for your feedback. I know this is not best practise and that 2 factor auth is better than one... The customer is used to having only the Q&A gate, the upgrade to R2 provided for the sms features to be utilized... they only really need one gate, but wanted to offer the sms one as an alternative, and not as an added security or 2nd factor.

    But I understand why its not possible... had to ask... :-)

    Q

     
  • Thursday, December 06, 2012 10:19 PM
     
     
    Sign In to Vote
    0
    I've heard similar concerns, like "what if I'm on a plane and have wi-fi but not cell coverage?"  My professional opinion is that negating 2-factor SMS authentication to support this very unusual case is a drastically less secure solution than simply recognizing that there exist some situations where users ought not be allowed to reset their forgotten passwords.