After developing the task to reset the forgotten password via Email OTP we have decided to implement reCaptcha on the initial screen where the user normally inserts her User ID (Forgotten Password Identify Email OTP).
However after user entered the necessary info (for example, User ID and Email), the user is able to proceed to the verification screen without fulfilling the reCaptcha field verification.
Is this an expected behavior of the product or is it a bug? Can this be fixed?
Release : 14.3
Component : CA Identity Manager
The behavior observed is expected and working as per the product design.
"To minimize brute force attacks, you can include Captcha in the profile screen of the Identity Manager user console. "
The identification screen we use during the public task is of a search screen by nature. It is the reason why reCaptcha is not enforced - this search screen is just for searching for the values entered (ie user ID / email address etc) to identify the user. Search screens do not evaluate any screen attributes / fields.