Multi-Factor Authentication for Assessments

Continuous Dynamic supports authenticated scanning of sites and web apps that implement multi-factor authentication (MFA).

MFA is when a user logs in to a website using their credentials (username and password) and one or more additional factors. The number of factors a user needs to provide varies according to the MFA method. In one common scenario, a one-time password (OTP) is sent to the user by email or SMS text message, or a token is generated by the user in a mobile app, such as Google Authenticator. Users must enter the password or token into the site to successfully authenticate.

Requiring all users to log in through MFA is a recommended way to improve general web security.

Discovery of MFA sites

The Deployment Team will discover sites that require MFA as a standard part of the DAST Onboarding process. You can notify us of MFA sites at any time.

MFA functionality can also be added to sites after onboarding, at any point in the asset lifecycle.

Supported MFA Methods

Continuous Dynamic supports three different MFA methods for authenticated site scans. The setup and configuration process is different for each method.

Supported MFA Method Description Setup guide

Time-based One-time Password (TOTP)

With TOTP MFA, a user authenticates by entering a TOTP token generated in a mobile app, such as Google Authenticator, as well as their username and password. This solution is self-service through the Continuous Dynamic Portal. You do not need to open a Support case.

Setting up Time-based One-time Password (TOTP) MFA

Mobile SMS (text message)

This solution is delivered through the Twilio API. SMS-based MFA is not included in our standard service levels; it is available to purchase as an add-on license for each Site asset.

Setting up SMS-Based Multi-Factor Authentication

Email

With Email MFA, a user logs in to a site using their credentials and a one-time password (OTP) that was sent to them by email only. Configuration is by a Black Duck Technical Support engineer and a WhiteHat Administrator.

Setting up Email Multi-Factor Authentication