Mutual HTTPS Authentication can add a lot of security to your two-factor authentication setup by thwarting most network-based MiTM attacks. Here are somethings to consider:
- You must decide to implement mutual https authentication before rolling out tokens to your users.
- It is only used for SSL-based websites and SSL-VPNs where the browser is used.
- When you add an https url in the Registered URL box on the domain configuration page, the server grabs the cert, hashes is and stores it. Any token registered AFTER this will fetch the cert over the user's connection, hash it and compare it to the hash delivered with the OTP. If they don't match, an error is thrown. If they do, the OTP is presented and the browser is launched to the Registered URL.
- If you change the URL on the domain page, you have to re-register all the tokens!
- If a user is getting an error, there is a possibility of a MiTM attack.