AWS securityagent documentation change
Summary
Added documentation for TOTP-based 2FA support in credential configuration
Security assessment
The changes introduce documentation for configuring TOTP-based two-factor authentication as a security feature, but there is no evidence of addressing a specific existing vulnerability or security incident. The update enhances security documentation by expanding supported authentication methods.
Diff
diff --git a/securityagent/latest/userguide/provide-testing-credentials.md b/securityagent/latest/userguide/provide-testing-credentials.md index 5c2cc8bd0..c73ac473f 100644 --- a//securityagent/latest/userguide/provide-testing-credentials.md +++ b//securityagent/latest/userguide/provide-testing-credentials.md @@ -45 +45,9 @@ If you select **Advanced setting** , you can choose from three credential strate - 4. (Optional) Expand **Agent Space login prompt** to provide specific login instructions if your application has a complex authentication flow. + 4. (Optional) In the **2FA - optional** field, provide a TOTP secret for applications that require two-factor authentication. You can either: + + * Enter the TOTP secret directly (for example, `JBSWY3DPEHPK3PXP`), or enter the full `otpauth://totp/` URI (for example, `otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example`). + + * Click the upload icon to upload a QR code image from your authenticator app setup page. The QR code is scanned locally and the TOTP URI is extracted automatically. + +When a TOTP secret is provided, the agent automatically generates fresh one-time codes and enters them when a 2FA prompt is detected during login. + + 5. (Optional) Expand **Agent Space login prompt** to provide specific login instructions if your application has a complex authentication flow. @@ -75 +83 @@ Use the **Agent Space login prompt** to provide detailed instructions on how to -For example, if the agent is to submit a username/password login form at https://example.com/login, you may format your secret as JSON with `username` and `password` fields: +For example, if the agent is to submit a username/password login form at https://example.com/login, you may format your secret as JSON with `username` and `password` fields. If the application requires TOTP-based 2FA, include a `totpSecret` field with either the TOTP secret directly or a full `otpauth://totp/` URI: @@ -80 +88,2 @@ For example, if the agent is to submit a username/password login form at https:/ - "password": "secure-password-here" + "password": "secure-password-here", + "totpSecret": "JBSWY3DPEHPK3PXP" @@ -83 +92 @@ For example, if the agent is to submit a username/password login form at https:/ -Then, configure the authentication instructions: . Enable **This credential requires interactive login (form submission)**. . Set **Access URL** to `https://example.com` (or any other URL selected from the list of target endpoints). . Enter the following into **Agent Space login prompt** : "Navigate to https://example.com/login and enter the provided username and password into the form." +Then, configure the authentication instructions: . Set **Access URL** to `https://example.com` (or any other URL selected from the list of target endpoints). . Enter the following into **Agent Space login prompt** : "Navigate to https://example.com/login and enter the provided username and password into the form." @@ -90 +99 @@ As another example, if you instead have an API key to be provided in an HTTP hea -Then, configure the authentication instructions: . Disable **This credential requires interactive login (form submission)**. . Enter the following into **Agent Space login prompt** : "Set the X-API-Key header to the provided API key for all requests." +Then, configure the authentication instructions: . Enter the following into **Agent Space login prompt** : "Set the X-API-Key header to the provided API key for all requests." @@ -94 +103 @@ Then, configure the authentication instructions: . Disable **This credential req -We currently do not support 2FA or OAuth-based authentication. +Only TOTP-based 2FA is supported. SMS, email, push notifications, hardware keys, and OAuth authentication are not supported.