Multi-Factor Authentication for Assessments
WhiteHat Dynamic supports authenticated scanning of sites and web apps that implement multi-factor authentication (MFA).
MFA is when a user logs in to a website using their credentials (username and password) and one or more additional factors. The number of factors a user needs to provide varies according to the MFA method. In one common scenario, a one-time password (OTP) is sent to the user by email or SMS text message, or a token is generated by the user in a mobile app, such as Google Authenticator. Users must enter the password or token into the site to successfully authenticate.
Requiring all users to log in through MFA is a recommended way to improve general web security.
Discovery of MFA sites
The Deployment Team will discover sites that require MFA as a standard part of the DAST Onboarding process. You can notify us of MFA sites at any time.
MFA functionality can also be added to sites after onboarding, at any point in the asset lifecycle.
Supported MFA Methods
WhiteHat Dynamic supports three different MFA methods for authenticated site scans. The setup and configuration process is different for each method.
| Supported MFA Method | Description | Setup guide |
|---|---|---|
Time-based One-time Password (TOTP) |
With TOTP MFA, a user authenticates by entering a TOTP token generated in a mobile app, such as Google Authenticator, as well as their username and password. This solution is self-service through the WhiteHat Portal. You do not need to open a Support case. |
|
Mobile SMS (text message) |
This solution is delivered through the Twilio API. SMS-based MFA is not included in our standard service levels; it is available to purchase as an add-on license for each Site asset. |
|
With Email MFA, a user logs in to a site using their credentials and a one-time password (OTP) that was sent to them by email only. Configuration is by a Synopsys Technical Support engineer and a WhiteHat Administrator. |