Open Closed

MFA findings in a penetration test #7256


User avatar
0
balessi75 created

ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme

Hi,

We recently had our ABP application penetration tested by an established security firm. The testers noted the following...

The application allows users to authenticate with a multi-factor authentication code sent via email or cellphone. There are two primary issues with the MFA authentication workflow: -There are no limits to the number of MFA guesses a user can make as long as guesses are made using the API -MFA tokens only expire after the time limit of 6 minutes has elapsed, not when a new MFA token is generated or when the token is used to login Together these misconfigurations can make it so that an MFA bypass is statistically probable....

They end with the following recommendation...

Ensure that MFA codes are invalidated after being used to authenticate a user. Furthermore, ensure that a user can only guess the MFA code a small number of times (5-10) before a lockout

How can we override/adjust the application to expire the security code/token as soon as it is used to login? Additionally, how can we make it such that after x failed attempts, the security code/token is expired?

Any suggestions/guidance is greatly appreciated as we need to have the application certified by this security firm.

Regards,

Brian


3 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    HI,

    Abp uses standard ASPNETCore Identity to implement MFA authentication.

    We will consider supporting it in the 8.3 if it's possible.

    Any suggestions/guidance is greatly appreciated as we need to have the application certified by this security firm.

    You might consider rewriting the send security code and verifying code methods.

    For example:

    public class MyAccountAppService: AccountAppService
    {
        ...
        
        public override async Task SendTwoFactorCodeAsync(SendTwoFactorCodeInput input)
        {
            // send the code and store in a distributed cache
            // You can set the cache expiration time to make the code expire in the future
        }
    }
    
    public class MySignInManager : AbpSignInManager
    {
        public override async Task<...> TwoFactorSignInAsync(....)
        {
            // check the distributed cache, If the code cache does not exist, return invalid code
            
            
            var result = base.TwoFactorSignInAsync(...);
            
            // If the login is successful, remove the code from the distributed cache
            // if the login is not successful, number of attempts + 1
            
            return result;
            
        }
    }
    
  • User Avatar
    0
    balessi75 created

    Hi liangshiwei,

    Thank you for the guidance. I'll be giving your approach a try...

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    okay

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09