Tony | Posts: 12

KBA failure max tries not being enforced. Signers never get locked

0 votes
We have set up our account with maximum allowed KBA failures = 3 but ESL is allowing seemingly unlimited invalid retries. So, signers never get locked and the KBA_FAILURE and SIGNER_LOCKED emails and callback notifications don't get sent. I do not see any way to set the max KBA tries through the API. It is set up at the account level in the ESL admin portal, apparently (which I don't personally have access to but I'm working with somebody who does.) Here is an example of our REST request to create and send a signing package in case it is helpful. { "roles": [ { "locked": false, "emailMessage": { "content": "" }, "attachmentRequirements": [], "reassign": false, "specialTypes": [], "id": "GEORGE_H_MORLAN", "data": null, "type": "SIGNER", "index": 0, "signers": [ { "auth": { "challenges": [ { "answer": "6789", "question": "What are the last 4 digits of your SSN or TaxID?", "maskInput": false } ], "scheme": "CHALLENGE" }, "company": "", "firstName": "GEORGE", "lastName": "MORLAN", "phone": "", "email": "[email protected]", "knowledgeBasedAuthentication": null, "language": "en", "title": "", "external": null, "professionalIdentityFields": [], "userCustomFields": [], "delivery": { "email": true, "provider": false, "download": false }, "group": null, "signature": null, "address": null, "data": null, "name": "GEORGE H MORLAN", "specialTypes": [], "id": "GEORGE_H_MORLAN" } ], "name": "GEORGE H MORLAN" } ], "documents": [ { "approvals": [ { "role": "GEORGE_H_MORLAN", "signed": null, "accepted": null, "data": null, "fields": [ { "page": 0, "subtype": "FULLNAME", "width": 200, "binding": null, "extract": false, "extractAnchor": null, "left": 100, "top": 700, "validation": null, "height": 50, "data": null, "type": "SIGNATURE", "value": "" } ], "name": "Approval name" } ], "name": "Extension Agreement", "fields": [ { "name": "Next Due Date", "value": "9/21/2018" }, { "name": "Document Date", "value": "8/21/2018" }, { "name": "Borrower Name", "value": "GEORGE H MORLAN" }, { "name": "Co-Signer Name", "value": "" }, { "name": "Account Number", "value": "514671798" }, { "name": "Effective Date", "value": "9/21/2018" }, { "name": "Months Extended", "value": "1" }, { "name": "Next Payment Due", "value": "9/21/2018" }, { "name": "New Maturity Date", "value": "8/21/2030" }, { "name": "Null Void Date", "value": "8/25/2018" } ] } ], "name": "Extension", "type": "PACKAGE", "language": "en", "emailMessage": "8/25/2018", "description": "Defines the terms of the Extension agreement", "autoComplete": true, "status": "SENT", "settings": { "ceremony": { "events": null, "inPerson": false, "declineButton": false, "declineReasons": [], "disableDeclineOther": false, "disableDownloadForUncompletedPackage": false, "disableFirstInPersonAffidavit": false, "disableInPersonAffidavit": false, "disableOptOutOther": false, "disableSecondInPersonAffidavit": false, "documentToolbarOptions": null, "handOver": null, "hideCaptureText": false, "hideLanguageDropdown": false, "hidePackageOwnerInPerson": false, "hideWatermark": false, "maxAuthFailsAllowed": 0, "optOutButton": false, "optOutReasons": [], "style": null, "layout": null } }, "reminders": { "startInDaysDelay": 1, "intervalInDays": 1, "repetitionsCount": 3 }, "due": "2018-08-25" }

Duo_Liang | Posts: 3776

Reply to: KBA failure max tries not being enforced. Signers never get locked

1 votes
Hi Tony, First I want to confirm with you, you are talking about KBA or QA authentication? Because from your JSON, I only saw content in "auth" rather than "knowledgeBasedAuthentication".
   "auth":{
      "challenges":[
         {
            "answer":"6789",
            "question":"What are the last 4 digits of your SSN or TaxID?",
            "maskInput":false
         }
      ],
      "scheme":"CHALLENGE"
   },
   "knowledgeBasedAuthentication":null
So if you were meaning QA, you can assign the max failure time in your package setting, you can also find this attribute in your JSON:
{
   "settings":{
      "ceremony":{
         "maxAuthFailsAllowed":3
      }
   }
}
Hope this could help you! Duo

Tony | Posts: 12

Reply to: KBA failure max tries not being enforced. Signers never get locked

0 votes
Thank you, Duo. I was misusing the term KBA. You are correct that I really meant QA. I will try setting maxAuthFailsAllowed in my API request and see if this resolves my issue. Is the KBA_Failure notification specific to KBA authentication? Or will it also be sent when the signer inputs an invalid QA answer?

Duo_Liang | Posts: 3776

Reply to: KBA failure max tries not being enforced. Signers never get locked

1 votes
Hi Tony, The KBA_Failure notification sticks to KBA authentication, so I'm afraid the only callback event related to QA is the "Recipent Locked". Duo

Attachments
8-28-2.png25.52 KB
roneddy | Posts: 30

Reply to: KBA failure max tries not being enforced. Signers never get locked

0 votes
Hello, I have been working with Tony on this integration and one important aspect to note is that we are using our own on-premise instance of the OneSpan Sign 6.2 platform with ESL 11.3. When I go into backoffice and look at his account settings I have it set to lockout: Max Signer Authentication Attempts: 3 So I am a bit confused as to why it will not lock out the signer, given that we seem to have everything setup correctly. Is there a backoffice setting I might be missing? Thanks, Ron

Duo_Liang | Posts: 3776

Reply to: KBA failure max tries not being enforced. Signers never get locked

0 votes
Hi Ron, If you are talking about the JSON Tony posted on the first floor, that could because that there's a package level setting “maxAuthFailsAllowed”: 0 which overrides the account level setting Max Signer Authentication Attempts: 3. If this attribute is not specifically assigned, it should be the same with the number in account level and the setting should take effect from my test. So after the code has been modified, it still doesn't work properly? Duo

Tony | Posts: 12

Reply to: KBA failure max tries not being enforced. Signers never get locked

0 votes
Adding maxAuthFailsAllowed to my REST request resolved the issue. It's now locking out the signer after the defined max tries and sending a SIGNER_LOCKED callback message. Also, it emailed a notification to the business line's shared email box. We are good. Thank you!

Hello! Looks like you're enjoying the discussion, but haven't signed up for an account.

When you create an account, we remember exactly what you've read, so you always come right back where you left off