MFA findings in a penetration test #7256 | Support

balessi75 created 5 months ago

ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme

Hi,

We recently had our ABP application penetration tested by an established security firm. The testers noted the following...

The application allows users to authenticate with a multi-factor authentication code sent via email or cellphone. There are two primary issues with the MFA authentication workflow: -There are no limits to the number of MFA guesses a user can make as long as guesses are made using the API -MFA tokens only expire after the time limit of 6 minutes has elapsed, not when a new MFA token is generated or when the token is used to login Together these misconfigurations can make it so that an MFA bypass is statistically probable....

They end with the following recommendation...

Ensure that MFA codes are invalidated after being used to authenticate a user. Furthermore, ensure that a user can only guess the MFA code a small number of times (5-10) before a lockout

How can we override/adjust the application to expire the security code/token as soon as it is used to login? Additionally, how can we make it such that after x failed attempts, the security code/token is expired?

Any suggestions/guidance is greatly appreciated as we need to have the application certified by this security firm.

Regards,

Brian

3 Answer(s)

liangshiwei created 5 months ago

Support Team Fullstack Developer

HI,

Abp uses standard ASPNETCore Identity to implement MFA authentication.

We will consider supporting it in the 8.3 if it's possible.

Any suggestions/guidance is greatly appreciated as we need to have the application certified by this security firm.

You might consider rewriting the send security code and verifying code methods.

For example:

public class MyAccountAppService: AccountAppService
{
    ...
    
    public override async Task SendTwoFactorCodeAsync(SendTwoFactorCodeInput input)
    {
        // send the code and store in a distributed cache
        // You can set the cache expiration time to make the code expire in the future
    }
}

public class MySignInManager : AbpSignInManager
{
    public override async Task<...> TwoFactorSignInAsync(....)
    {
        // check the distributed cache, If the code cache does not exist, return invalid code
        
        
        var result = base.TwoFactorSignInAsync(...);
        
        // If the login is successful, remove the code from the distributed cache
        // if the login is not successful, number of attempts + 1
        
        return result;
        
    }
}

0

balessi75 created 5 months ago

Hi liangshiwei,

Thank you for the guidance. I'll be giving your approach a try...
0

liangshiwei created 5 months ago
Support Team Fullstack Developer

okay

Have an answer to this question? Log in and write your answer.