Tools and Applications-Web Application Security-WhiteHat Security Products

Multi Factor Authentication: Using “something you KNOW” and “something you HAVE” to protect your applications

User login credentials are the easiest target for hackers in their efforts to compromise a web application and gain access to valuable corporate data. 95% of all web application breaches involve hackers stealing user credentials. Multi-factor authentication (MFA) is one of the best ways to protect your accounts from being hacked and more organizations are now using this system to create a barrier for hackers. PCI Data Security Standards (PCI DSS) 3.2 adds multi-factor authentication as a requirement for websites handling payment card data. So what exactly is multi-factor authentication?

Something you “know” and something you “have”

Traditional authentication requires a username and a password to be entered by the user. This is a system relying on one factor – something that the user knows – as the sole authentication method. A hacker will be able to guess the correct password for a user by simply running through possible passwords and eventually guessing the correct password in what is known as a “brute force” attack. Other methods like keylogging, phishing, and pharming are also used for password theft.

With MFA, instead of only relying on something that the user knows, we also rely on something that users have in their possession, such as a cell phone, to authenticate their credentials. So a site using MFA would not only prompt the users to enter their username and password but also send a code via SMS to their cell phones, which the user would have to enter as well to gain access to their account.

A MFA system works with anything you have. SMS based text messaging is just the most common means of MFA as most people have easy access to a cell phone, so there are a lot of organizations using SMS based text messaging as their second authentication factor. There’s a community-driven list that keeps a record of all common websites implementing MFA, managed through a public GitHub repository, allowing the community to add to/modify the list.

WhiteHat Sentinel – MFA Capabilities

WhiteHat Sentinel Dynamic now supports automated vulnerability scanning for websites that implement MFA solutions, providing superior scan coverage and saving our customers’ time and resources. With the new MFA support capabilities, the need for complex static code configurations is eliminated, allowing the Sentinel scanner to login to the MFA enabled website seamlessly. Sentinel Dynamic then continuously scans your websites as they evolve, providing automatic detection and assessment of code changes and alerting for newly discovered vulnerabilities.

Tags: application security, web application security, web security