Application Modernisation · Deep dive 02

A second factor for an app that has never heard of one

Reverse proxy, header injection and Conditional Access add MFA to an app with no native support. The application-side twin of our edge pattern.

Draft outline · Engineering craft lens
The anchor

Plenty of government line-of-business apps have no concept of MFA and no vendor path to it, yet they hold sensitive data and face credential-abuse pressure (Scattered Spider and commodity credential stuffing). You add the factor around the app, at the access layer, when you cannot add it inside.

Sources we build on
Primary

Government advisory on why single-factor legacy apps are a favoured foothold.

Journalism
BleepingComputer credential-abuse reporting

Independent reporting on credential stuffing and account takeover against apps without MFA.

Article outline
  1. The app that cannot do MFA. No SSO, no roadmap, real data.
  2. Factor at the access layer. Reverse proxy plus Entra plus Conditional Access in front.
  3. Header injection to the app. Passing a trusted identity the app will accept.
  4. Edge cases. Service accounts, APIs and non-browser clients.
  5. Proxy now, modernise later. How this feeds a build decision.
How it aligns to what we do

An engineering-craft twin to the Network Edge reverse-proxy dive: same pattern, application lens. It reinforces that we solve the app-you-cannot-change problem pragmatically and at fixed price, rather than insisting on a rebuild.

Points to hit
Control it ratifies
ISM / E8 E8 Multi-factor authentication, achieved at the access layer for an app with no native support; ISM authentication controls.