What are some of the MFA/Replay/MIM API best practice?

Not applicable

Hi all,

I am designing a security model for protecting the API soon to be hosted in apigee. I have searched on things like OpenID, OAuth 3 legged, JWT, etc. They are all good except of the following

1. Token based approach is subjected to replay and MIM attacks. I read you can use nonce to reduce the risk but doing that Apigee needs to maintain a collection of nonce. Is nonce the recommended approach to prevent replay/MIM attacks?

2. The app in this case does not rely user credential (it is server to server for now) so API key/secret will be used to authenticated the app. However, ISO requires a 2nd authentication. The architect says no to MTLS. I am suggesting having the app to issue a self signed JWT but it does not look like that is a common approach. What are people doing to MFA the user identity?

0 0 185
0 REPLIES 0