Critical security finding in our ETQ 2022 deployment: Multi-factor authentication can be circumvented when accessing the Risk Assessment module through the REST API. Users who completed MFA for initial login can make direct API calls to modify high-severity risk assessments without re-authentication or step-up authentication challenges.
Our API gateway MFA enforcement appears to only validate the initial session token, not the sensitivity of subsequent operations. We discovered this during a security audit when testing session binding and token validation mechanisms.
POST /api/v2/risk/assessment/update
Authorization: Bearer eyJhbGc....(valid_token)
Payload: {riskId: 'RSK-2024-0156', severity: 'CRITICAL'}
Response: 200 OK (No MFA challenge)
This bypasses our policy requiring MFA for any changes to CRITICAL-rated risks. Has anyone implemented step-up authentication for sensitive operations in ETQ’s API layer?
This is a known architectural limitation in ETQ 2022. The API authentication layer validates bearer tokens but doesn’t have native support for operation-level MFA challenges. Your API gateway needs to implement step-up authentication by inspecting the request payload and triggering MFA based on risk severity or operation type. Most organizations use an external API gateway like Kong or Apigee for this.
Another consideration: implement session binding at the network level. Even if the API doesn’t enforce MFA per operation, you can bind the session token to the originating IP address and device fingerprint. If an API call comes from a different context than the original MFA authentication, reject it. This prevents token theft and replay attacks. We use this in combination with short-lived tokens (15-minute validity) that require refresh through an MFA-protected endpoint.
The core issue is that ETQ’s session token doesn’t carry operation-level security context. When a user authenticates with MFA, the resulting JWT token has a single authentication level that applies to all subsequent operations. You need to implement a custom authentication middleware that intercepts API calls, evaluates the operation sensitivity, and forces a new MFA challenge if the operation exceeds the current token’s authorization level. We built this using a Lambda function in our AWS API Gateway that validates tokens against a sensitivity matrix before forwarding requests to ETQ.