IBM Sterling Ideas

Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Post your ideas

IBM is transforming its request for enhancement (RFE) process. The purpose of the transformation is to provide a more consistent experience for you to submit requests and to enable IBM product owners to respond to your requests more quickly. For more information click here.

Start by posting ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,
1. Post an idea
2. Upvote ideas that matter most to you
3. Get feedback from the IBM team to refine your idea

Help IBM prioritize your ideas and requests

The IBM team may need your help to refine the ideas so they may ask for more information or feedback. The offering manager team will then decide if they can begin working on your idea. If they can start during the next development cycle, they will put the idea on the priority list. Each team at IBM works on a different schedule, where some ideas can be implemented right away, others may be placed on a different schedule.

Receive notifications on the decision

Some ideas can be implemented at IBM, while others may not fit within the development plans for the product. In either case, the team will let you know as soon as possible. In some cases, we may be able to find alternatives for ideas which cannot be implemented in a reasonable time.

Enable myFileGateway multi-factor authentication. Different fields be added for token and password

Enable different fields to be added in the Login's Page for myFilegateway.

Ex:

Username:

Password:

Token:

 

We need to receive an extra field during login authentication on myFileGateway, as a random Token for example.

 Using pre-login Exit, User and Pasword are validated against B2Bi core product users. And token (extra field) validated using as user custom code.

 

Sugestion: 

If in IUserLoginUserExit_preAuthenticate class, we could pass a "clean" password to B2B (outargs), so the core product could authenticate using the password in outargs, instead of what user has typed.

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Jul 22 2019
  • Under review
How will this idea be used?

When an user access myFileGateway web interface, he will input credencials as below.
 
User ID: client username
Password: password local in user tables + token 6 digits
 

The Sign In button is already calling a plug-in (external code), that is receiving this credentials.
It splits the password, validates the token successfully. This is working fine.
The problem is when this code is trying to validate the password on B2B.
 
SI stores a base64 encoded SHA1 hash of the password into database instead of raw password to protect credentials. Before hashing a password a string of random characters is appended to it (a different random string is used for every password) and the password hashed. 
It is stored on YFS_USER table.
 
First, they tried to follow this method and compare the password returned from YFS_USER table. But is not possible because we cant recover the random string that was appended (and for me, doen't make sense try to do this, since the system can not allow this kind of vulnerability, which would basically open the security mode of the application)
 
So, the second plan, is verify if there is any method or class , which we could pass the credentials, and B2B returns true of false, or validates those credentials.

 

The perfect solution would be an extra field so we can enable a multi-factor authentication. This extra field could be validate thought pre authentication user exit.

What is your industry? Banking
What is the idea priority? Urgent
  • Attach files
  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    11 Dec, 2020 11:01am

    More firms are requiring this due to stricter security standards