Environment
Situation
NAM configured for first factor authentication and NAAF for second factor (Email OTP or SMS OTP) authentication. The NAM contract has 2 methods –
1. Secure Name/Password Form – “Identifies User” is checked
2. NAAF Method (Email OTP) – “Identifies User” is unchecked
When we access the protected resource, we are prompted for username/password followed by Email OTP or SMS OTP.
Now if we logout and login using the same browser session, we will be prompted for username/password followed by Email or SMS OTP page.
At this point, no OTP is sent to the user and if we click “Sign-in” without keying any OTP, the user is allowed to login.
Resolution
This issue has been resolved in NAM 4.4.2.
Upgrade to NAM 4.4.2.