authentication – The issue is with MFA Authenticator code in Easy Repro

Inorder to proceed with Easy Repro, I have followed the below steps( in picture) for setting up the MFA Authenticator.

But I am getting the Approval code to my android phone, where i own an app. And i need to approve it each time we run the automation scripts.

Can anyone please suggest to avoid this?

How to enable MFA on PowerApp?

I have built some simple PowerApps (not portal) and works fine on Android and iPhone. But I am not sure how to enable MFA on PowerApp. Is there any official document available? I can only find discussion for this topic on other forum. Could you please advise?

authentication – Does this official “Enforce MFA” AWS policy make any sense?

At https://aws.amazon.com/premiumsupport/knowledge-center/mfa-iam-user-aws-cli/ the AWS officially recommends to have this policy

{

            "Sid": "BlockMostAccessUnlessSignedInWithMFA",
            "Effect": "Deny",
            "NotAction": (
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:ListVirtualMFADevices",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:ListAccountAliases",
                "iam:ListUsers",
                "iam:ListSSHPublicKeys",
                "iam:ListAccessKeys",
                "iam:ListServiceSpecificCredentials",
                "iam:ListMFADevices",
                "iam:GetAccountSummary",
                "sts:GetSessionToken"
            ),
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
}

which presumably is supposed to enforce MFA requirement for the account.

But to me having "iam:DeleteVirtualMFADevice" makes it not very useful.

2FA to me is a second measure to protect authentication flow: you must know not only a password, but also a 2FA device.

Now with this policy – it allows to remove a virtual mfa as long as you have a valid access token.

And "iam:DeleteVirtualMFADevice" cannot be removed from there: if one removes it – then the aws console mfa setup page is broken (it says the MFA already exists, even if it wasn’t set up yet).

Am I missing something or is it a security theatre happening here?

api design – Securing API with JWT and elevated access using MFA

At my company we have a central auth server running IdentityServer. There are a number of applications providing some API to client applications. API requests are authenticated with JWT tokens issued by said auth server. It works fine for our purposes.

We have a new requirement that basically needs a secondary verification for some actions.
Scenario goes like this:

  • User logins to an app.
  • User wants to perform an action that requires elevated access and he is asked to confirm the action.
  • User enters a one time password from TOTP/SMS
  • Intent is confirmed and API responds to action.

Now the implementation I have in mind follows:

  • API gets a request, checks JWT amr claim, sees no otp, returns 401 Unauthorized/403 Forbidden with WWW-Authenticate: mfa (or something along those lines) and a unique id for action
  • App gets 401 response and notices it needs to verify the action with OTP redirects to auth server with given id
  • Auth server verifies OTP and returns a new but short-lived JWT (with amr=otp) that only authorizes said action
  • App uses this JWT to resend the request to API
  • API performs restricted action
  • App continues using regular JWT (discards JWT used for OTP)

Now my question is, do you think this is a valid/good approach?
Are there better ways of handling this operation?

multi factor – Security concerns regarding user self-service MFA reset

Let’s say I have an IAM system with a typical MFA feature: TOTP with recovery codes. When users don’t have access to their TOTP apps, they can use recovery codes to log in. The IAM system has an admin interface which end users don’t have access to due to security reasons.
For most systems that I have used, e.g. Auth0, end users need to ask their Admins to reset MFA for them. However, it seems that none (at least none that I knew of) has support for resetting MFA during login time (for example, after entering the recovery code, the login screen can ask users “Hey, have you lost your second factor? Do you want to reset it?). Beside reasons such as:

  1. If users have access to some sort of my profile interface where they can reset MFA. Thus, implementing it again is a duplicate of functionality.
  2. Maybe users just don’t have access to their TOTP app for the time being. Asking them to reset seems strange.

Are there security concerns which suggest that having such a self-service MFA reset feature is a bad idea?

Thank you 🙂

development – Log into SharePoint tenant through CSOM with MFA enabled

I need to log into a SharePoint tenant using an admin account that uses MFA.

This is the code.

var authManager = new OfficeDevPnP.Core.AuthenticationManager();
var context = authManager.GetWebLoginClientContext(tenantUrl); 

// load some stuff

// this will fail with 403 Unauthorized
context.ExecuteQuery();

The login window does pop up for a second, but closes again immediately. I assume that it uses the cookie for my regular user (without SharePoint administration rights). The following requests that need tenant scope obviously do not work.

How can I clear the token cache so I can log in with the correct user? In the PnP PowerShell I had the same problem with -UseWebLogin, but there I can actually use the ClearTokenCache parameter and then it works. I have not yet found a similar option here, and PowerShell is not an option.

MFA security issue with Sharepoint when setting access for work or school in Windows 10

We have a Office 365 E1 license.
Our users has unmanaged Windows 10 personal devices.
We use MFA for authentication.
In Windows Settings Access work or school, user can enrol their device.
The user is asked to do that after he choose to open a document with desktop App (Word).
The administrator can see that users has done this.
Afterwards when these users type in the url companyname.sharepoint.com he no longer is asked to authenticate with MFA.
When the setting in Windows 10 is removed he again is asked to signin with MFA.

What is wrong in our server setting that this security problem arise?
Please help.

development – How do I get the site collection and document libraries on SharePoint Online with MFA enabled?

I am making a Winforms program that allows users to connect to their own SharePoint Online environments to download and download files from their document libraries. I use the code below to get Site and List objects. My current problem with this method is, every time it is called, a login window appears (from GetWebLoginClientContext ) and disappears because the user would have been logged in from the start. I need to use this method because it works with accounts for which multifactor authentication is enabled.

Is there another way to connect to SPO with MFA enabled without having to see the popup every time it needs to load Sites and Lists ?

I read about app authentication only with the client ID and client secret, however, this only works with the SP site that creates the ID and the secret.

    private void GetSitesAndLists(string siteUrl, out Dictionary teamSites, out List documentLibraries)
    {
        using (ClientContext clientContext = _authManager.GetWebLoginClientContext(siteUrl))
        {
            Web web = clientContext.Web;
            WebCollection site = web.GetSubwebsForCurrentUser(null);
            clientContext.Load(site, we => we.Include(w => w.Url, w => w.Title));
            clientContext.ExecuteQuery();
            teamSites = site.ToDictionary(w => w.Url, w => w.Title);
            teamSites = teamSites.OrderBy(kvp => kvp.Value).ToDictionary(k => k.Key, k => k.Value);
            ListCollection libraries = web.Lists;
            clientContext.Load(libraries, l => l.Include(li => li.DefaultViewUrl, li => li.BaseType, li => li.Title, li => li.BaseTemplate, li => li.Hidden));
            clientContext.ExecuteQuery();
            documentLibraries = libraries.Where(lib => lib.BaseType == BaseType.DocumentLibrary && lib.Hidden == false && lib.BaseTemplate == 101).ToList();                
        }
    }

multi factor – Should I propose MFA? Any n or & # 39; or & # 39; n Random & # 39; in my web application, or simply 'All MFA'.

I am building a new web application and am currently working on the multifactor authentication part. I would like to offer a choice in MFA and I think about what I can do. I have a plan, but I'm afraid that two of the options I think I propose are safer, but in reality, they are less so than the basic option.

When creating MFA on the account, I was thinking of a form similar to ((...) represents a form field):

In addition to every login, require MFA every (d) days.
Require (All | Any n | n Random) factors, where n is (f)

Requiring the entire MFA is certainly the safest, but remains Any n or n Random better or worse than All MFA with one factor in less?

For example, there are 2 factors for which you do not know which one will be asked less than 1 factor for which you will always be asked. Is this also true for 3 factors, where 2 random factors will be required, as opposed to 2 factors still needed?

This certainly adds additional obstacles from the point of view of the need to obtain additional codes, but you can also continue to try (with delay) until the correct code is requested. so the problem may not be so difficult.

On the other hand, if I guess / brute force, I have a better chance of doing things right if I do not have to take into account all the factors. With the Any 1 of 2 factors For example, I've doubled my chances of guessing it because it can match one or the other of the factors.

Should I have All MFA, or should I also show the other options?

Thank you!