AH integrated app does not get second factor authentication promote in version 3.4.3.1066 but works fine in ssp-3.4.1+1018
search cancel

AH integrated app does not get second factor authentication promote in version 3.4.3.1066 but works fine in ssp-3.4.1+1018

book

Article ID: 409082

calendar_today

Updated On:

Products

Symantec Identity Security Platform - IDSP (formerly VIP Authentication Hub)

Issue/Introduction

When an authentication policy contains the same authentication factors defined across two distinct policy levels (where, skipFactorLevelForMatchingAmr is set to false), and a user authenticates using any factor at the first level (like PWD), the system unexpectedly skips all subsequent authentication obligations.

For example, if a policy has obligations set in this manner, PWD:1, SMSOTP:1, FIDO:1, SMSOTP:2, FIDO:2, if a user successfully completes authentication with PWD at the first level, the second-level obligations (SMSOTP:2, FIDO:2) are entirely bypassed, allowing the user to authenticate without fulfilling the intended multi-factor requirements. This results in a security vulnerability where a single-factor authentication can suffice despite a policy specifying multiple obligation levels.

Environment

VIP Authentication Hub

Release : 3.4.3

Resolution

This issue is identified as a regression issue in the product and fixed in release 3.4.4 already available for upgrade.

Release notes for the 3.4.4 version can be found here.

Powered by Wolken Software