-
Sub-task
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
False
-
None
-
False
-
-
<h2>Guidance applicable to Red Hat (What do offerings need to do to fulfill this?)</h2><p>
There are two parts to the guidance here:
<ol>
<li>Implement multi-factor authentication for access to privileged accounts.
<ol>
<li>Logon access to the offering has support for multi-factor authentication. It may not be enabled by default, but the support should exist and can be enabled at the discretion of administrators of that particular installation.</li>
<li>The guidance also says that "Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." More rigorous can be a stronger password policy in cases where MFA is not viable to be used.</li>
</ol>
</li>
<li>Implement multi-factor authentication for access to non-privileged accounts.
<ol>
<li>Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.</li> <li>Offerings and security architects need to determine the risk for these kind of accounts. In case of user accounts bound by strong authorization rules, MFA can be replaced with stronger password policies based on the amount of risk involved with these accounts.</li>
</ol>
</li>
</ol>
<p>For products, the requirement is that they have the possibility to enable MFA by themselves or by the use of a third party authentication server.</p>
<p>
For services, any public endpoint must enforce MFA for privileged access for redhatters, for example for maintenance or troubleshooting. For customers, it should be possible to enable MFA and for the ones without MFA enable, a message should be shown recommending it and explaining how to enable it.</p>
Imported from SD Elements: https://redhat.sdelements.com/bunits/psse-secure-development/group-2-extended-functionality-offerings/amq-clients/tasks/phase/specifications/141-T1/
How Tos:
Configure 2FA in ASP.NET
Enabling 2FA for a user
To implement 2FA for a specific user, the TwoFactorEnabled field in the ASP.NET identity database must be set to true.
2FA registration in ASP.NET
ASP.NET includes several classes that implement IUserTwoFactorTokenProvider to send and validate the second factor:
- EmailTokenProvider sends codes over email messages.
- PhoneNumberTokenProvider sends codes over SMS, although you’ll need an account at a service like Twilio, and fees will apply.
- AuthenticatorTokenProvider uses codes generated by an authenticator app.
Users can bypass the 2FA process using the “Remember me” checkbox during login. To enforce stricter security, remove the “Remember me” feature by customizing the login page:
1. Right-click your project in the Solution Explorer and choose Add a New Scaffolded Item.
2. Choose Identity in the tree on the left, and click Add.
3. In the list of pages, check Account\Login, then click Add.
4. Now that the login page is in your project, you can edit the markup and remove the “Remember me” checkbox by hand.
This is recommended for applications with high-security requirements.
Requiring 2FA
To protect sensitive information and make them available for users only authenticated with two factors:
1. Configure an authorization policy that requires two-factor authentication:
**`
builder.Services.AddAuthorization(options =>
options.AddPolicy("TwoFactorEnabled",
x => x.RequireClaim("amr", "mfa")));
**`
2. Test the configuration using SignInManager. Here’s a page that shows different content depending on whether the user is authenticated with a second factor:
**`
@if (SignInManager.IsSignedIn(User))
{
@if ((AuthorizationService.AuthorizeAsync(User, "TwoFactorEnabled")).Result.Succeeded)
else
{ /* Visible if authenticated with 1 factor */ }}
**`
Training Modules
Defending Web Applications
- Defending Against Brute Force Attacks
- API Authorization Controls
- Understanding Multi-Factor Authentication
