MFA Enforcement for Sensitive Operations (HIPAA-08)
MFA Enforcement for Sensitive Operations (HIPAA-08)
Compliance Finding — v0.1.155 This page documents a security gap identified under HIPAA control HIPAA-08 and the recommended remediation steps.
Overview
As of v0.1.155, the platform does not enforce multi-factor authentication (MFA) or step-up re-authentication for high-risk operations. Any action in the list below can be performed using only a valid session token, with no additional identity verification.
Affected Operations
| Operation | Risk |
|---|---|
| Permanent data deletion | Irreversible data loss |
| Full data export | Bulk exfiltration of sensitive compliance data |
| API key creation | Unauthorised programmatic access |
| API key revocation | Service disruption |
| Financial credit purchases | Unauthorised financial transactions |
Security Impact
A session token compromised via session hijacking (e.g. XSS, token theft, network interception) is sufficient to trigger any of the above operations. No secondary factor or re-authentication challenge is presented to the user.
This violates HIPAA-08, which requires that access to sensitive operations be protected by appropriate authentication controls beyond a single session credential.
Recommended Remediation
Three implementation options are available, listed in order of strength:
Option 1 — OAuth Re-authentication (Recommended)
Prompt the user to re-authenticate via their OAuth provider immediately before the sensitive action is executed. Use NextAuth's signIn method to trigger a fresh authentication flow.
// Trigger re-authentication before a sensitive operation
await signIn(provider, { callbackUrl: '/confirm-action' });
This provides the strongest guarantee because it validates the user's identity directly with the identity provider, not just against a stored session.
Option 2 — TOTP via Authenticator App
Integrate time-based one-time password (TOTP) support using the otplib library. Users enrol an authenticator app (e.g. Google Authenticator, Authy) and must supply a valid TOTP code before any sensitive operation proceeds.
import { authenticator } from 'otplib';
// Verify a TOTP token supplied by the user
const isValid = authenticator.verify({
token: userSuppliedToken,
secret: userStoredSecret,
});
if (!isValid) {
throw new Error('Invalid or expired MFA code.');
}
Option 3 — Email OTP (Minimum Baseline)
For account deletion and bulk export operations, send a one-time passcode to the user's registered email address. The operation must not proceed until the correct code is submitted.
This is the minimum acceptable baseline and does not protect against scenarios where the attacker also has access to the user's email account.
Compliance Reference
- Control: HIPAA-08
- Framework: HIPAA
- Introduced in: v0.1.155
Related Pages
- Changelog
- API Key Management (API key creation and revocation)
- Data Export (bulk export operations)