Setting up SMS-Based Multi-Factor Authentication
Continuous Dynamic scan services can be configured for sites and web apps that utilize SMS-based multi-factor authentication (MFA). With SMS-based MFA, after entering their credentials, an authorized user enters a one-time passcode (OTP) that was sent to their cellphone by SMS (text message) only. If the OTP is accepted by the site, the user is authenticated.
|
Add-On Licenses for SMS-based Multi-Factor Authentication
You need to purchase an additional license for each Site asset that uses SMS-based MFA. To purchase a license, please contact your Customer Support Manager (CSM). |
How it Works
Continuous Dynamic integrates with the third-party Twilio messaging service to enable authenticated scans of Site assets which use SMS-based MFA.
First, the solution must be configured in Twilio, Continuous Dynamic, and your own application. For details of these tasks, see Configuring a Site Asset for SMS-Based MFA.
When the DAST scanner logs in to assess the asset, it will initially provide the site’s scan credentials (the first factor).
If the asset accepts the credentials, it will proceed to request the OTP (the second factor) and send the SMS to the Twilio-originated mobile number defined for the asset.
The scanner will receive the SMS code via the phone number and then submit it to the asset. The asset will either accept or reject the code. If the code is accepted, the scan will continue from that point; if it is rejected, the scan will end.
Identifying Sites
If possible, identify all sites that use SMS-based MFA during the DAST onboarding process. To speed up onboarding, please create a Support case to notify Black Duck Technical Support of any such sites during the Prerequisites phase. Create one Support case for each SMS-based MFA site you need to configure.
If SMS-based MFA sites are not identified at this stage, they will be manually discovered by Threat Research Center (TRC) engineers during the later Pre-configuration or Configuration phases. In this case, TRC engineers will create a Support case to notify you of each such site.
Configuring a Site Asset for SMS-Based MFA
Here are the steps to configure a single Site asset for assessments through SMS-based MFA:
Prerequisites: Purchase an add-on license for SMS-based MFA by contacting your Customer Support Manager (CSM).
-
Create a Support case to request that SMS-based MFA is set up for the site (see Contact Us).
Alternatively, an Onboarding Support engineer creates a Support case notifying you that the site requires SMS-based MFA for assessments.
-
Wait while a Black Duck Technical Support engineer configures Twilio. They will:
-
Establish a new mobile number.
-
Associate the mobile number with your Continuous Dynamic account.
-
Configure webhooks.
-
-
When the Twilio configuration is complete, Technical Support updates the Support case with the mobile number that is associated with the site and information on what to do next.
-
As described in the Support case, you need to update the scanning account—the user account in your application that is associated with the Site asset’s scanning credentials in the Continuous Dynamic Portal.
-
Update the scanning account to use the mobile number you received from Technical Support. One-time passcodes must be sent from that mobile number.
In some cases, Technical Support can update the scanning account (step 4a) without your involvement.
-
-
After you have updated the scanning account, update the associated Support case to notify Technical Support.
-
The Technical Support engineer completes the Further Configuration steps.
This task must be repeated for each Site asset that uses SMS-based MFA. Each SMS-based MFA site must have a separate Twilio-originated mobile number.
Further Configuration
Black Duck engineers must perform further configuration before the Site asset is ready for authenticated scanning through SMS-based MFA. They will configure the DAST scanner for the Site asset and associated mobile number.
When these steps are complete, your CSM or a Technical Support engineer will update the associated Support case.
