ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme
Hi,
We recently had our ABP application penetration tested by an established security firm. The testers noted the following...
The application allows users to authenticate with a multi-factor authentication code sent via email or cellphone. There are two primary issues with the MFA authentication workflow: -There are no limits to the number of MFA guesses a user can make as long as guesses are made using the API -MFA tokens only expire after the time limit of 6 minutes has elapsed, not when a new MFA token is generated or when the token is used to login Together these misconfigurations can make it so that an MFA bypass is statistically probable....
They end with the following recommendation...
Ensure that MFA codes are invalidated after being used to authenticate a user. Furthermore, ensure that a user can only guess the MFA code a small number of times (5-10) before a lockout
How can we override/adjust the application to expire the security code/token as soon as it is used to login? Additionally, how can we make it such that after x failed attempts, the security code/token is expired?
Any suggestions/guidance is greatly appreciated as we need to have the application certified by this security firm.
Regards,
Brian
3 Answer(s)
-
0
HI,
Abp uses standard ASPNETCore Identity to implement MFA authentication.
We will consider supporting it in the 8.3 if it's possible.
Any suggestions/guidance is greatly appreciated as we need to have the application certified by this security firm.
You might consider rewriting the send security code and verifying code methods.
For example:
public class MyAccountAppService: AccountAppService { ... public override async Task SendTwoFactorCodeAsync(SendTwoFactorCodeInput input) { // send the code and store in a distributed cache // You can set the cache expiration time to make the code expire in the future } }
public class MySignInManager : AbpSignInManager { public override async Task<...> TwoFactorSignInAsync(....) { // check the distributed cache, If the code cache does not exist, return invalid code var result = base.TwoFactorSignInAsync(...); // If the login is successful, remove the code from the distributed cache // if the login is not successful, number of attempts + 1 return result; } }
-
0
Hi liangshiwei,
Thank you for the guidance. I'll be giving your approach a try...
-
0
okay