WhiteHat’s multi-factor authentication (MFA) solution allows customers who have MFA turned on to require users to enter a secondary authentication token into the Sentinel UI in addition to the username and password. This single-use secondary authentication token is delivered to the user via SMS text messaging to the user’s cell phone (or via voice code delivery if SMS is not available). Once MFA is turned on for a particular customer, all users logging in to Sentinel from that customer must use MFA.
To set up an MFA user, an administrator will create a user profile for that user. The profile will include at least one, and preferably two telephone numbers: the number in the “mobile” field will be used first, and if that fails then the system will try the number of the “phone” field. Telephone numbers should be entered with the country code: for example, for the US, the phone number (234) 567-8901 should be entered as +1 234 567 8901. (Note that if the local part of the phone number has a leading zero, the zero should be omitted. A UK number 012 3456 7890 would be formatted as +44 12 3456 7890.)
To use MFA, a user will:
Login with their Sentinel username and password.
Receive a text message (or voice code) with a one time authentication token (a series of numbers).
Enter that one-time authentication token into the field presented to them in Sentinel.
If that code can be validated, the user is successfully logged in. If the code cannot be validated, the user is not logged in. The login page will offer the option of sending a new code.
If there is no cell phone number listed for the user, the system will attempt to send the message to the work phone number listed in the user’s profile. If that does not succeed, the user will be asked to contact WhiteHat Customer Support; CS will help them contact their administrator to add a usable phone number to their account. Note that MFA is set up to be required every time a user logs in. The system generates an MFA cookie with a four-hour lifespan. This protects your system from extended exposure if an unauthorized user has gained access via a legitimate user’s MFA.