Multi-Factor Authentication (MFA/TOTP) Use Cases
- Matt Wilkinson
- Caleb Miller
Information
Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. MFA is a core component of a strong identity and access management (IAM) policy. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber attack.
How the check works
The main check is a python script that runs pytotp and creates the 30 second codes you use to log in with. The script supports one or multiple codes at the same time as long as you provide the secrets to them. This script stored the codes to the ASM dictionary to be easily used in other scripts like ZebraTester, Browser and Postman.
In the end you’ll find examples of how to set them up in a Browser check and a ZebraTester check.
The current script needs to run once every 10-15 seconds to make sure the codes are updated fast enough to not go out of use. The script can be modified to do this itself for x seconds/minutes, but it will make sure no other script can run at the same time.
ASM Setup
This check has not been published to customers yet. If you have a use for it for customers, message @Christian Backström and he’ll upload it for you to use. The script needs to run on a private agent that has the python container enabled. This script does not run on public agents. The agent needs to have the module “pyotp” installed. You can follow this guide to install it:
Install external libraries for Python Checks
Once on your private agent you need to navigate to the following directory:
/opt/asm-browser-agentNext, you need to execute the bash script “chroot_shell.sh”
Whilst in “apica-chroot” you can now interact with the python environment available for the private agent (latest package includes Python 3.9.8)
And you can also use the pip tool to install external packages, see below example.
pip3 install <module>##Example
[apica-chroot] root@ip-xxx-xx-xx-xxx:/# pip3 install pymssql
Collecting pymssql
Downloading pymssql-2.2.5-cp39-cp39-manylinux_2_24_x86_64.whl (2.6 MB)
|████████████████████████████████| 2.6 MB 35.9 MB/s
Installing collected packages: pymssql
Successfully installed pymssql-2.2.5
Create a Python check with the following settings:
Create a Python check with the following settings:
Resource path: mfa_generator.py
Environmental variables: --codes SECRET@SECRET --names ACCOUNTNAME@ACCOUNTNAME --apiEndPoint ENDPOINT --dictionaryName DICNAME --authTicket TICKET
Replace SECRET in codes with the secret you use to create the codes with. You get this when you set the MFA up on the site. Separate them with @ if you want to use multiple accounts.
Replace ACCOUNTNAME in names with the account you’re generating codes for. It matches the order of secrets so make sure your account name matches the secret.
Replace ENDPOINT in apiEndPoint with either “api-wpm”, “api-wpm2” or “api-asm-us1” depending on the silo the customer is on.
Replace DICNAME in dictionaryName with the dictionary you’ve set up for this use case. If you haven’t already, you can read how to do it here: POST scenarios/proxysniffer/dictionaries
Replace TICKET in authTicket with the auth ticket used to access the previously created dictionary.
Examples:
Python check: https://wpm.apicasystem.com/Check/Details/3367425
Selenium check: https://wpm.apicasystem.com/Check/Details/3367456
ZebraTester check:
Here’s how the codes are stored to be accessed:
Can't find what you're looking for? Send an E-mail to support@apica.io