Multi-Factor Authentication Not Supported

[prernaadev01]

Impact

The application does not support Multi-Factor Authentication making it more susceptible to credential brute force attacks.

Description

The Guardian web application does not support Multi-Factor Authentication (MFA). MFA creates a layered defense to help prevent an unauthorized user from gaining access to an account or service by preventing attackers from authenticating with just a username and password. If one factor such as a user’s password is compromised, a user would have an additional security barrier protecting their account.
MFA requires at least two different factors to verify the identity of a user. These factors may consist of something a user knows (such as a password), something a user is (such as a fingerprint) and/or something a user has (such as a mobile device). For example, a common form of MFA for web applications is a password and a one-time password (OTP), often generated on a mobile device or dedicated hardware token. If a user’s password were to be compromised, access to their account could not be gained unless an attacker also had access to this second factor of authentication (their mobile device or dedicated hardware token).
The use of MFA reduces the risk of account compromise under a number of brute force attack scenarios, including:
• ‘Credential stuffing‘ in which an attacker attempts to reuse credentials harvested from data breaches or leaked datasets (which are often publicly available) to identify instances where a compromised password is used on other systems.
• ‘Credential spraying’ in which an attacker attempts to log into a large number of user accounts; typically, using a small number or even just one commonly used password.
• Conducting brute-force and credential guessing attacks against application user accounts to identify weak passwords.
• Social engineering attacks designed to obtain user credentials, such as phishing attacks. This finding, in combination with the finding "No Password Policy" and finding "Lack of
Account Takeover (ATO) Protections", increases the risk of this kind of attacks.

Recommendation

To prevent brute force attacks MFA should be implemented, preferably using an OTP token generated using a mobile or physical device. There are a wide variety of third party solutions that can be used to achieve this. The decision on how to implement MFA should be individually tailored to each organization and system based on the technologies in use together with specific business and user requirements. It should be noted that the use of SMS messages to supply OTP codes is a less secure implementation of MFA due to the risk of SIM swap attacks.
When implementing MFA consider one or more of the following options:
• Mandating MFA for administrative users (where the impact of an account compromise is greater)
• Offering MFA as an option for all users (so that more security-conscious users can enable it on their accounts)
• Requiring MFA for particularly sensitive actions in the application such as changes to authentication elements.
One challenge when implementing MFA is how to authenticate users if their second factor is not accessible. Consider one or more of the following options:
• A set of fixed keys that can be reset and will be invalidated after use.
• Requiring the user setup multiple forms of MFA.
• Requiring the user to contact support to verify their identity.
• Requiring another admin user to remove the MFA requirement for the user.
More information is available in the OWASP MultiFactor Authentication Cheat Sheet. 13

Location

Guardian Web Application