👨‍💻
Application Security Handbook
  • Application Security Handbook
  • Web Application
    • Authentication
      • Authentication with Login and Password
      • Authentication with Phone Number
      • OAuth 2.0 Authentication
      • Multi-factor Authentication
      • Default Passwords
      • Password Change
      • Password Policy
      • Password Reset
      • Password Storage
      • One Time Password (OTP)
      • Email Address Confirmation
    • Authorization
    • Concept of Trusted Devices
    • Content Security Policy (CSP)
    • Cookie Security
    • Cryptography
      • Cryptographic Keys Management
      • Encryption
      • Hash-based Message Authentication Code (HMAC)
      • Hashing
      • Random Generators
      • Universal Unique Identifier (UUID)
    • Error and Exception Handling
    • File Upload
    • Input Validation
    • JSON Web Token (JWT)
    • Logging and Monitoring
    • Output Encoding
    • Regular Expressions
    • Sensitive Data Management
    • Session Management
    • Transport Layer Protection
    • Vulnerability Mitigation
      • Brute-force
      • Command Injection
      • Cross-Site Request Forgery (CSRF)
      • Cross-Site Scripting (XSS)
      • Mass Parameter Assignment
      • Parameter Pollution
      • Path Traversal
      • Regular Expression Denial of Service (ReDoS)
      • SQL Injection (SQLi)
      • XML External Entity (XXE) Injection
Powered by GitBook
On this page
  • Overview
  • General
  • References
  1. Web Application
  2. Authentication

Multi-factor Authentication

PreviousOAuth 2.0 AuthenticationNextDefault Passwords

Last updated 1 year ago

Overview

This page contains recommendations for the implementation of Multi-factor authentication.

Multi-factor authentication or MFA is when a user is required to present more than one type of evidence to authenticate on an application. There are four different types of evidence (or factors) that can be used:

Factor
Examples

Something You Know

Password, PIN.

Something You Have

Hardware or software token, certificate, email, SMS, phone call.

Something You Are

Fingerprint, face recognition.

Location

Source IP range, geolocation.

Multi-factor authentication requires the presentation of evidence from two or more different factors. In other words, providing different evidence from the same factor (for example, passwords and PIN) is not multi-factor authentication.

General

  • Use a one-time password from SMS as a second authentication factor.

  • Provide the option for a user to use a Time-Based One-Time Password (TOTP) generated in an authenticator application as a second authentication factor.

  • If an application provides multiple ways for a user to authenticate (with a third-party service via OAuth2, in an API for mobile clients, etc.) require MFA for all those ways.

  • Make sure that password reset, email confirmation, and other similar processes do not bypass MFA.

Clarification

A vulnerable application may grant direct access to an account without providing MFA immediately after resetting a password or following a confirmation link in an email.

  • Make multi-factor authentication mandatory for high-privileged users.

  • End all previously created sessions after enabling MFA.

Clarification

It is necessary to end all active sessions after enabling MFA for a user to be able to strengthen the protection of their account and "kick an attacker out" of sessions in case of account compromise.

  • Require authentication data (a second authentication factor) from a user to confirm disabling multi-factor authentication.

  • If the "remember me" function is implemented:

    • Use a random token to remember the use of MFA.

    • Use different random tokens for each user and session.

  • Do not rely on user-controlled values from HTTP headers to determine the user's IP address if an IP address is used as a factor.

Clarification

If an application uses user-controlled values from HTTP headers an attacker can easily spoof an IP address by sending their IP address in the following headers:

forwarded-for
x-forwarded-for
x-forwarder-for
x-forwarder-ip
x-client-ip
...
  • Use a Time-Based One-Time Password (TOTP) generated in an authenticator application as a second authentication factor.

  • Provide the option for a user to use a hardware token as a second authentication factor.

  • Make multi-factor authentication mandatory for all users.

  • Notify a user when multi-factor authentication is enabled or disabled.

  • If the "remember me" function is implemented:

    • Use a random token and location/browser fingerprint/device token to remember the use of MFA.

    • Implement the functionality of remote revocation of remembered devices.

  • Require MFA to confirm sensitive actions (disabling security mechanisms, API token generation, etc.) or actions that require elevated privileges.

References

Comply with requirements from the page.

Comply with requirements from the page.

Log authentication attempts, multi-factor enabling and disabling, see the page.

Generate a random token using a cryptographically strong random generator, see the page.

Store a random token in the ultimate cookie, see the page.

Authentication: One Time Password (OTP)
Error and Exception Handling
Logging and Monitoring
Cryptography: Random Generators
Cookie Security
OWASP Cheat Sheet Series: Multifactor Authentication Cheat Sheet