The web portal, which can be accessed via the open Internet, is used by customers to manage order data. The web portal is multi-user capable and some users have extended rights. Since there is potential for abuse with these administrative accounts, according to the security pentest carried out, the administrative accounts should be secured using 2-factor authentication in order to keep the risk of abuse from outside as low as possible. The implementation of this functionality and the quality tests of the implementation have been carried out by us.
The web portal is implemented using the ASP.NET web application framework. All data is persisted in a SQL Server Express database. The ASP.NET framework is also used to integrate the 2-factor authentication into the web portal as smoothly as possible. The processing of the 2-factor authentication is limited to the server side without exception. This task is carried out by the server-side processing of the data via the class libraries of the ASP.NET framework. The newly created functionality supports the implementation of a so-called two factor authentication. This means that the user has to identify himself with two independent factors. This is a password and a code that the user receives by email.
If 2-factor authentication is activated for a user account, the user must identify himself with a further so-called verification code after the password has been successfully checked. The verification code is generated by a random generator. The code is sent by email to an email address stored for the user. After the user has authenticated himself with the verification code (token) created for him, ASP.NET generates a temporary cookie that describes the user. This authentication is checked for validity every 30 minutes by default.