search

GSA-TTS / tts-tech-operations

TTS Technology Operations
https://handbook.tts.gsa.gov/tech-operations/
Other
6 stars 0 forks source link

HackerOne missing MFA #1500

Closed adborden closed 3 years ago

adborden commented 3 years ago

Background Information

In order for TTS programs using the TTS Bug Bounty program to be compliant, TTS programs need H1 to require MFA through SecureAuth

Implementation Steps

Reproduce

  1. Open https://hackerone.com/users/sign_in in an incognito window
  2. Enter your gsa.gov email address, click Sign In
  3. In the browser prompt, enter your ENT credentials (username/password)

Expected behavior

SecureAuth prompts you for a second factor.

Actual behavior

SecureAuth authorizes you to H1 and you're now logged in.

Acceptance Criteria

adborden commented 3 years ago

Also noticed H1 is configured with the dev instance of SecureAuth https://secureauth.dev.gsa.gov/

afeld commented 3 years ago

This is now GSA Security's responsibility, so closing.