GHT2-011 --- Missing Multi-factor Authentication
4.11 GHT2-011 --- Missing Multi-factor Authentication
Vulnerability ID: GHT2-011
Retest status:
Vulnerability type: Missing MFA
Threat level: Moderate
Description: {#description-10 .title-findingsection}
No MFA is configured on the platform. This includes the Django Admin Portal and the Learning and Studio environments.
Technical description: {#technical-description-10 .title-findingsection}
Screenshot of the application's admin login portal:
Note that access to Django Administration is only allowed by white-listed IP addresses, resulting in a reduced attack vector and threat level. This is however not the case for the Learning and Studio environments, in which highly privileged users such as staff and superusers also do not have access to MFA.
Impact: {#impact-10 .title-findingsection}
- Multi-factor authentication for administrators and other highly privileged accounts is a strongly recommended best security practice. Not implementing it weakens the authentication flow and makes it susceptible to attacks.
Recommendation: {#recommendation-10 .title-findingsection}
- It is recommended to implement MFA throughout the whole application and to even enforce it for highly privileged accounts such as staff/admin.
Edited by Maarten de Waard