[OPENAM-11240] "Skip This Step" button on the ForgeRock Authenticator (OATH) screen is missing (HOTP) Created: 05/Jun/17  Updated: 23/Aug/19  Resolved: 03/Jul/18

Status: Resolved
Project: OpenAM
Component/s: None
Affects Version/s: 13.5.0
Fix Version/s: 13.5.3, 14.1.2, 6.0.0.3, 6.5.0, 6.0.1, 5.5.2

Type: Bug Priority: Minor
Reporter: John Noble Assignee: Lawrence Yarham
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File after register the device.png     PNG File authn-mfa-otp-entry.png     PNG File no Skip This Step button.png    
Target Version/s:
Sprint: AM Sustaining Sprint 44, AM Sustaining Sprint 45, AM Sustaining Sprint 46, AM Sustaining Sprint 47, AM Sustaining Sprint 48, AM Sustaining Sprint 49, AM Sustaining Sprint 50, AM Sustaining Sprint 51, AM Sustaining Sprint 52
Story Points: 3
Support Ticket IDs:
Verified Version/s:

 Description   

See: https://backstage.forgerock.com/docs/openam/13.5/admin-guide#authn-mfa-skip

Unless the OpenAM administrator has made one-time password authentication mandatory, users can choose to opt out of using one-time passwords by clicking the Skip This Step button on the ForgeRock Authenticator (OATH) screen. This button appears:

  • When users are prompted to register their mobile devices during their initial login from a new device.
  • Every time users are prompted by the ForgeRock Authenticator (OATH) authentication module to enter one-time passwords.

 

Disabling Mandatory Two Factor Authentication does not present the button to "skip this step" as shown in the documentation (see attached screenshot) when users are prompted to authenticate using HOTP.

 Steps to reproduce:

  1. Select Authentication > Settings > General.
  1. Make sure that the Two Factor Authentication Mandatory is not enabled.
  1. Create example chain with HOTP as described in admin guide (DataStore as first module and set to Requisite and a ForgeRock Authenticator (OATH) module second (again as Requisite) (https://backstage.forgerock.com/docs/openam/13.5/admin-guide#proc-authn-mfa-chain-oath)
  2. Download and install ForgeRock Authenticator app on phone or other mobile device.
  3. Register OATH Device (by performing login using example chain and then using ForgeRock Authenticator app to add account using the QR code reader/camera and the QR code displayed on login page.
  4. Authenticate using OATH device (e.g. ForgeRock Authenticator generate one time password then, on browser page where QR code is shown, click Login using verification code (or similar) and then enter code.
  5. Repeat login using example chain.  After login for DataStore module, user is presented with a page on which to enter OTP.

 

Expected result:

User can chose to skip OATH authentication.

Current behaviour:

No option to skip is presented. 

Note: The option to skip is presented when registering a device and for TOTP. Opted out users skip the module entirely as expected.

 



 Comments   
Comment by Yaodong Hu [X] (Inactive) [ 15/Oct/17 ]

trying to duplicate the case.

 Part 1, user skip this step without register the device.

  1. Create a test OATH test chain and set Two Factor Authentication Mandatory is not enabled.
  2. create a user testuser1
  3. the first time testuser1 trying to login, after username/password, it presents a page to register the device or skip the step. 
  4. select skip this step, the users will login in. 
  5. logout the user and relogin again. The user will successful login after username/password.  

Part 2, user register a device, and successfully use HOTP code to login 

  1. Create a user testuser2
  2. for the first time, user will register the device and use HOTP code to login, see screenshot attached. 
  3. logout out user, and login again, after entering username/password, it ask the HOTP code again, without "Skip this step" this time, see screenshot attached.

So just to confirm that the bug is about in the last step, the user should be given another chance to "Skip this step" as Two Factor Authentication Mandatory is not enabled? 

Comment by John Noble [ 24/Oct/17 ]

Yaodong Hu [X] Yes, the bug is specific the last step you mentioned. The documentation specifies the user should be given the opportunity to "Skip this step":

https://backstage.forgerock.com/docs/openam/13.5/admin-guide#authn-mfa-skip

Every time users are prompted by the ForgeRock Authenticator (OATH) authentication module to enter one-time passwords.

I guess this makes sense in a conditional auth chain, where the user can "skip" OTP and use another method to authenticate.

Comment by Jonathan Thomas [ 20/Jun/18 ]

Re-assigning

Comment by Lawrence Yarham [ 27/Jun/18 ]

Note that once a user has chosen to skip OTP (either at first time instead of registering the device, or on any subsequent authentication), the OTP is then skipped on all subsequent authentications for that user.

To re-enable OTP, login as the user, then select Dashboard, then under Authentication Devices, menu on top right of section, choose Settings.  This contains an option (slider switch) to re-enable 2-step Authentication).  Once enabled, this then prompts to register the device on the next login and then once completed, OTP applies again for all subsequent authentications.

Generated at Thu Dec 03 20:39:48 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.