Using Two-factor Authentication

Two-factor authentication augments the standard password, which is defined as the "something you know" factor, with one of the following:

• Something you have, such as a one-time passcode (OTP) sent by SMS or email

• Something you are, such as your fingerprint, face, or retina

While this second factor of authentication improves security, it adds a layer of complexity when conducting an automated scan of web applications that implement it.

Fortify engineers have developed a method and process that enable Fortify WebInspect and the Web Macro Recorder with Macro Engine 7.1 to automate the "something you have" factor of two-factor authentication.

How Scanning with Two-factor Authentication Works

Fortify WebInspect includes a Node.js server that you configure for a control center to process the SMS and email responses coming from your application server. There is also a mobile application that forwards SMS responses to the control center. The control center queues the responses and forwards them to the appropriate TruClient browser when needed for authentication.

Recommendation

Fortify strongly recommends that you use test phones and test email addresses only. For privacy concerns, do not use personal phones and email addresses.

Known Limitations

The following known limitations apply to the two-factor authentication feature:

• Only POP3 servers that support unique ID listing (UIDL) are supported.

• Currently, only Android mobile phones are supported.

• The mobile phone requires a Wi-Fi connection in the same subnet where Fortify WebInspect is installed.

Understanding the Process

The following table describes the process for conducting a scan using two-factor authentication.

Stage	Description
1.	In the Fortify WebInspect application settings for two-factor authentication, do the following: Configure the two-factor authentication control center Configure the mobile application (if SMS responses are used) For more information, see Application Settings: Two-Factor Authentication.
2.	In the Web Macro Recorder with Macro Engine 7.1, record a login macro and modify it as follows: Add and configure a Two-factor authentication group step. Note: You must configure the group step for SMS or email responses. The group step includes a Wait for 2FA step that you must also configure. Optionally, create username, password, phone number, email, and email password parameters. Using parameters for two-factor authentication allows you to conduct a multi-user login scan. Configure the Wait for 2FA step. Add a Generic Object Action step and configure it as a Type step. Add a Generic Object Action step and configure it as a Click step. For more information, see the Micro Focus Fortify WebInspect Tools Guide.
3.	In the Web Macro Recorder, replay the login macro.
4.	Optionally, if conducting a multi-user login scan, add credentials for username, password, phone number, email, and email password in the Scan Settings: Authentication window. For more information, see Multi-user Login Scans and Scan Settings: Authentication.
5.	In Fortify WebInspect, run a scan using the macro.