Setting up Email Multi-Factor Authentication

The DAST scanner can authenticate to sites and web apps that utilize email multi-factor authentication (Email MFA). With Email MFA, an authorized user logs in to a site using their credentials followed by a one-time password (OTP) that was sent to them by email only.

The process of configuring Site assets for Email MFA is performed by a Synopsys Technical Support engineer and by you, a WhiteHat Administrator. It can be started before or after Site onboarding.

When a Site asset is configured for Email MFA, the site sends OTPs to a dedicated WhiteHat Dynamic MFA email server. These OTPs are used by the DAST scanner to automatically authenticate to the site, without affecting in progress scans. If needed, an authorized Synopsys engineer can authenticate to the site using an OTP, for example, to start a business logic assessment (BLA), a re-test, or to make configuration changes.

Email MFA is one of three options for multi-factor authentication for assessments. WhiteHat Dynamic also supports SMS-Based Two-Factor Authentication and time-based one-time password (TOTP) MFA (for details, see Adding or Editing Scanning Credentials).

Identifying Sites that use Email MFA

If possible, identify all sites and web apps that use Email MFA during the DAST onboarding process. To speed up onboarding, please create a Support case to notify Synopsys Technical Support of any such sites during the Prerequisites phase. Create one Support case for each Email MFA site you need to configure.

If Email MFA sites are not identified at this stage, they will be manually discovered by Threat Research Center (TRC) engineers during the later Pre-configuration or Configuration phases. In this case, TRC engineers will create a Support case to notify you of each Email MFA site.

Configuring a Site Asset for Email MFA

Here are the steps to configure a single Site asset for Email MFA:

  1. Either you or a TRC engineer identifies one or more sites that use Email MFA.

  2. For each Site asset, your Customer Support Manager (CSM) or a Synopsys Technical Support engineer provides you with an MFA slot email via an associated Support case. They will either create a new case or update an existing case, depending on who identified the requirement for Email MFA.

    MFA slot emails

    An MFA slot email is a site-specific email address in the following format:

    US customers:
    
    mfa<SlotID>.slot@whsec.us
    
    EU customers, e.g. Germany:
    
    mfa<SlotID>.slot@whsec.de

    The SlotID is part of the site’s scan URL in the WhiteHat Portal, e.g. https://source.whitehatsec.com/asset-management/site-summary/12345/scan

    When a set of scanning credentials is configured with the site’s MFA slot email, those credentials will work with our internal Email MFA solution. The site sends OTPs to the MFA slot email. The DAST scanner then authenticates to the site using an OTP and proceeds to scan the site’s authenticated content.

  3. In the WhiteHat Portal, update the Site asset’s credentials to use the MFA slot email. For help, see Adding or Editing Scanning Credentials. You should update both the primary and secondary credentials for the site.

  4. You also need to update your site or web app.

    1. Locate the user account that is associated with the Site asset’s credentials.

    2. Update the user account with the provided MFA slot email.

The above process must be repeated for each Site asset that uses Email MFA. Each Email MFA site must have a separate MFA slot email.

Further configuration

Synopsys engineers must perform some further configuration before the Site asset is fully set up for Email MFA. Your CSM or a Technical Support engineer will update the associated Support case when these steps have been completed.