Open DavidIIED opened 7 months ago
feature/832-pentest—2fa
Installed ‘miniOrange 2FA’ module https://www.drupal.org/project/miniorange_2fa - configuration reveals it is a demo module supporting only 1 user for free - 30 users = US$115/year. Uninstalled and removed.
Installed ‘Authenticator login’ module https://www.drupal.org/project/alogin - uploaded branch to dev to test - experienced ‘known issue’ resulting in QR code not displaying. Uninstalled and removed.
Installed ‘Two-factor Authentication (TFA)’ module https://www.drupal.org/project/tfa - requires 3 further modules ‘Encrypt’, ‘Key’ and ‘Real AES’, each with further configuration settings. Also requires generation of 256-bit key using openssl. Set up as per ‘What is Two Factor Authentication and How to Use It in Drupal?’. Currently on Dev for testing.
Edit TFA module configuration so TFA not required for Admin Roles requiring TFA: Reveiwer, Publications editor, Editor, Manager branch: feature/838-TFA-module-configuration
Disable TFA (/admin/config/people/tfa) - branch: hotfix/838a-disable tfa
Pen test and security audit remediation plan
3.1.1 Implement and enforce multi factor authentication (MFA) where possible. (p10, all sites, high)
#