I have a question regarding spass token behavior. I am trying to recreate this behavior described in manual:
Users will only be authorized with this very tokentype. The string can hold a space separated list of case sensitive
tokentypes. It should look like:
hotp totp spass
This is checked after the authentication request, so that a valid OTP value is wasted, so that it can not be used, even if
the user was not authorized at this request
Note: Combining this with the client IP you can use this to allow remote access to sensitive areas only with one
special token type while allowing access to less sensitive areas with other token types.
I have one Authentication policy with the following options:
Challenge response = totp
otppin = userstore
-When user has TOTP token assigned and no spass token. User is prompted for TOTP MFA code.
-When user is assigned both TOTP + spass token. spass token overrides TOTP challenge. User can login without TOTP even if spass is not assigned as challenge response in the only policy.
Is this normal behavior? I expected if spass not listed as challenge response in policy then user will not be allowed to use spass and will be prompted for TOTP?