What is 2FA or MFA?
Web applications typically require authentication in order to access sensitive functionality such as per-user "MyAccount" and order functionality. Typically, this authentication relies on a single authentication "factor" (something that is known), that being a password.
Increasingly, however, web applications may require multiple "factors", such as two (or more) of:
- "Something you know", such as a password; and
- "Something you are", such as a biometric/fingerprint scan; or
- "Something you have", such as a [physical or electronic] "token"
Occasionally, the second factor may be slightly less easy to classify, such as verifying access to an email account by means of an authentication code sent to that email account.
How does 2FA or MFA work?
MFA works by requiring that the user evidences that they can access each factor required - i.e. that they know the password associated with the account and that they have access to the MFA token (sometimes this is by entering a 6digit number generated by the electronic token or fob).
Why does this provide difficulties for a "headless" automated scanner?
An automated scanner such as AppCheck executes without human interaction - it is code running on a server and cannot interact with physical objects such as MFA tokens.
Authenticating against a barrier that demands multiple factors can be problematic therefore, since these systems are explicitly intended to verify the unique individuality of the human user and to defeat automated authentication.
Can AppCheck perform authenticated scanning on a system that uses Mutli Factor Authentication (MFA) or Two Factor Authentication (2FA) ?
AppCheck does support authenticated web application scanning (See https://appcheck.zendesk.com/hc/en-us/articles/360015781177-What-is-authenticated-web-application-scanning-and-can-AppCheck-perform-authenticated-web-application-scanning- for more details).
However, AppCheck cannot typically authenticate where a true MFA system is in place, since it cannot access secondary authentication "factors" like a human can. There are sometimes bypasses that a customer can perform to permit scanning in these circumstances however.
What alternatives are there for scanning systems that use 2FA/MFA?
Customers may be able to explore or investigate the following options if they wish for AppCheck to perform authenticated web application scanning against a system that implements 2FA or MFA:
- Unauthenticated scanning can still be performed - that is the web application can still be scanned, albeit from an unauthenticated perspective only; or
- MFA can sometimes be disabled for a specific user account while leaving 2FA enabled for all other accounts on the system; or
- MFA can sometimes be modified/bypassed for a specific user account, for example ensuring that a static, known token is used for this account in place of the usual dynamically generated one; or
- A test/staging instance of the application (not on public internet) can have MFA disabled and be used for scanning (will require an internal scanning hub positioned on customer network)