Query on best practice – using 2FA to self-authorise IP addresses in an allow-list
I want to know whether a solution I'm considering for a web app is particularly secure / in line with best practices etc.
Scenario - a web application, it's a stock management app for small retailers. There is an element of sales/customer management so data security (GDPR here in the UK) definitely applies.
To help secure the app, we've implemented an IP-address-based allow-list. Even the login page itself is protected, outside the IP allow-list you get nothing on any URL except an "access denied" redirect.
Once authorised by IP, you log in, and from there every single page, API call (even menu option) is tightly controlled by an access-based authentication system.
The trouble is, a couple of the retail customers don't have / won't pay for static IPs and they keep changing (maybe weekly).
At the moment, this is resolved via support call (they phone me) but the retailer must spend at least a short time without the stock system.
I'd like to try to allow them "administrative self-service" e.g. a page whereby (with enough authentication) a senior store manager could add the in-store PC to the allow-list.
The authentication I'm thinking of is:
- The redirect will tell you if your IP lies outside the allow-list (so you can tell the difference between 'my IP changed' and 'my authenticated user just isn't allowed to have this page')
- to add your current IP to the allow list you will have to provide:
- Username and password for a privileged user
- 2FA code (i.e. google authenticator) from a device that's previously been setup and tied to the same user credentials.
Would anyone please be prepared to comment on the potential weaknesses of this concept?
I'm already thinking it opens the app to malicious users from within (they could self-auth their home PCs), but then we have already permitted that to store owners who want to do stock checks or VAT reports from home...
It retains the strong "nobody outside the allow-list gets anything" mechanism (which we like) - but the page itself must be exempt from the allow-list otherwise it's inaccessible. I worry about DDOS or credential stuffing attacks against that single page.
I'd be interested to hear whether this sets any alarm bells ringing, is a "good" idea, or any alternative mechanism? (I thought about client certificates but these retailers tend to be admins on their own self-setup PCs, they could just copy them).
I've kept the post deliberately tech-stack-agnostic just to keep my question purely to the concept/mechanism itself.
