Soft Token Vulnerability

Soft Token Vulnerability

Created by: John Solis

 

Date Happened: August 13, 2020



ComponentSoft Token


 

PlatformAndroid/IOS



Root Cause:

  1. Soft Token Vulnerability - 2 TOTPs are valid at the same time.



Findings:
  1. AUB raised a concern regarding what they called "Vulnerability" in the soft token. As there are 2 valid OTPs within the same time frame.



Resolution:
  1. Can set it to maxTimeSteps=1, this is 30 secs, but beware that synchronizing is tight and tolerance window = 0. This will create issue if you run hard token as well as soft token. Hard tokens are hardcoded, thus the synchronization is sometimes out of the window due to hard token age. This will cause multiple "Invalid Response" and eventual Lock Out.
  2. Please refer to "01 Soft Token Vulnerability" document in reference forlder for more information.

    • Related Articles

    • Could not connect to Provider Address (Android) and Unable to download provider images (IOS)

      Created by: John Solis   Date Happened: July 10, 2020 Component: TVS  Platform: Linux Root Cause: On Android’s Entrust ST: Could not connect to Provider Address. Check your provider address and try again. On IOS Entrust ST: Unable to download ...

    • Cannot Support Unsecured Device (user's mobile soft token application)

      Created by: John Solis   Date Happened: August 13, 2020   Component: Soft Token   Platform: Android/IOS   Root Cause: Can't support unsecured device pop out to the user's mobile soft token application Findings: After the user downloaded the MST and ...

    • Unable to register with the Identity Provider (Android)

      Created by: John Solis   Date Happened: July 16, 2020   Component: TVS   Platform: Android   Root Cause: On Android’s Entrust ST: Unable to register with the Identity Provider. You will not receive transaction notification Findings: Failed to ...

    • Delay OTP response

      The client is using OTP as second factor authenticator. They've encountered delay in response on the OTP. Caused: Basically it is Network Provider Issue (Globe) Resolution: To activate the Soft Token OTP for the user.

    • Required Session Token is Missing or Invalid

      Created by: John Solis Date Happened: June 29, 2020 Component: IDG Server HA Platform: Linux Root Cause: THE REQUIRED SESSION TOKEN IS MISSING OR INVALID. PLEASE RETRY THE REQUESTED OPERATION Findings: IDG server cannot be accessed using the load ...