0

My company access a Third-party website, that uses a simple username + password authentication method. This vendor could restrict the application access (website) to a defined ip range. We are trying to implement 2-Factor Authentication to protect the website. We don't have access to source code of the website vendor, so we could not implement 2FA native on the website.

I was thinking in create a AWS EC2 instance with 2FA and restrict the third-party vendor website just to this IP.

Other option is to create a Proxy Server (with 2FA, I don't know if it possible) and restrict the ip address just to proxy.

Is it a best practice? Does anyone have another idea?

p.magalhaes
  • 101
  • 2
  • what authentication backends does it support, 2fa radius with Google auth and (any Pam auth, such as ldap, local, etc...) is really simple. – Jacob Evans Mar 22 '17 at 12:46
  • `We are trying to implement 2-Factor Authentication to protect the website. We don't have access to source code of the website vendor, so we could not implement 2FA native on the website.I was thinking in create a AWS EC2 instance with 2FA and restrict the third-party vendor website just to this IP.` - If you don't have access to the website code then how does implementing MFA on your side prevent me or anyone else from accessing the website? How are you going to protect a website that isn't under your control? – joeqwerty Mar 22 '17 at 13:07

2 Answers2

0

Can I use the IP access restrictions that the vendor does support to restrict access to a (reverse) proxy and then can enable dual-factor authentication on the proxy?

Yes you could, but that still doesn't offer you actual dual factor authentication.

The problem is that although people would be required to authenticate with dual-factor to the proxy server, to log into to the website they will still be asked for a username and password. And nothing prevents them from using the somebody else's username and password rather than their own to log in.

UserA on the proxy can log on as UserB on the third-party website, which is what dual-factor is supposed to prevent!

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • Are you saying that the only way to implement 2FA is to implement it on the vendor, right? – p.magalhaes Mar 22 '17 at 14:36
  • @p.magalhaes Yes indeed. The vendor needs to add support for dual-factor. Sometimes if coding actual 2FA support is too much effort a more lightweight option is to get your reverse proxy to set a custom header that indicates what credentials the user authenticated with and then their website only needs to interpret that header and prevent the user from authenticating as a different user. – HBruijn Mar 22 '17 at 14:58
0

Yes that would provide for dual authentication, although:

1) It is possible to spoof IP addresses, even with TCP - using a VPN (a proper VPN with its own IP netowrk addresses and mutual authentication, e.g. IPSEC or an ssh tunnel, not the cheap anonymizing services you'll see in Google if you search for 'VPN') would resolve this

2) With only a single proxy, your availability is halved.

3) Can you really control how fixed the "fixed" IP address of the proxy is (hint: you can if its "127.0.0.1")

Alternatively you could spend enormous amounts of money of a Privileged Access/Indetity Management solution (and then find out just how restrictive this is in practice).

symcbean
  • 19,931
  • 1
  • 29
  • 49