Hi All,
Our client wants to perform penetration testing on MFA functionality on UAT and below is our implementation for MFA functionaliy using azure ad and we have used Microsoft login connector reactive (Component Link) and Microsoft Login Connector Management ( Component link ) forge component.
Below is the implementation in our main application, when user tries to access the application dashboard then we are sending request to azure using below implementation,
Once user authenticated from the azure side then we are getting response on the callback page of the Microsoft login connector reactive forge component and after that user is redirected to app dashboard page after successfully authentication and below is the implementation on the callback page,
Below are the input paremeters for the Initial callback page server action
Do you see any security risk in above implementation ? If yes then please share your thoughts and suggestion to improve the app MFA login security.
In the Microsoft Login Connector Management forge component we have registered our app and stored the client secret and tenant details which we get from the azure app registration and only admin have access to login in the app to manage the app configuration. Below is the sample example,
Requesting everyone if you have any prior experience on this kind of implementation then please suggest us ways to improve security of MFA login mechanism. We will appreciate your quick response and suggestions to improve the security of our App. Thanks in advance.
Hi All,Hope you are doing well!
Is there any suggestions on the above implementation ?Please share your thoughts and inputs on the same.Thanks,
Ajit Kurane.
Hi @Ajit Kurane
There seems to have a security risk in your current MFA implementation, but it’s not broken.
This should be acceptable for many enterprise apps. But for strict security / pen-test / compliance, you should add token-level MFA validation and callback hardening.