MFA

[DavidIIED]

Pen test and security audit remediation plan

3.1.1 Implement and enforce multi factor authentication (MFA) where possible. (p10, all sites, high)

• [x] Install MFA module '2FA'
• [x] Install 'Authenticator login' module
• [x] Install 'Two-factor Authentication (TFA)' module
• [x] Test with web team on Dev (see other comments)
• [x] Merge revised feature/832-pentest-2fa into main
• [x] Disable TFA on Dev (main)
• [x] Push code to stage/prod
• [x] Update documentation
• [x] Advise all users
• [x] Enable TFA on Prod

#

[DavidIIED]

feature/832-pentest—2fa

[DavidIIED]

Installed ‘miniOrange 2FA’ module https://www.drupal.org/project/miniorange_2fa - configuration reveals it is a demo module supporting only 1 user for free - 30 users = US$115/year. Uninstalled and removed.

Installed ‘Authenticator login’ module https://www.drupal.org/project/alogin - uploaded branch to dev to test - experienced ‘known issue’ resulting in QR code not displaying. Uninstalled and removed.

Installed ‘Two-factor Authentication (TFA)’ module https://www.drupal.org/project/tfa - requires 3 further modules ‘Encrypt’, ‘Key’ and ‘Real AES’, each with further configuration settings. Also requires generation of 256-bit key using openssl. Set up as per ‘What is Two Factor Authentication and How to Use It in Drupal?’. Currently on Dev for testing.

[DavidIIED]

Edit TFA module configuration so TFA not required for Admin Roles requiring TFA: Reveiwer, Publications editor, Editor, Manager branch: feature/838-TFA-module-configuration

Disable TFA (/admin/config/people/tfa) - branch: hotfix/838a-disable tfa