Second Factor Authentication (2FA) Bypass
Overview
Description
2-Factor Authentication (2FA) is an extra layer of security. After authentication with Username password, Second Factor Authentication is done.
2FA can be of various forms,
- OTP sent on mobile/email.
- Time-based One-Time Password algorithm (TOTP) using any Authenticator App.
- Biometric Authentication.
2FA is added so that even if the actual username password gets compromised attacker should not allow to login.
If 2FA implementation is not proper, the attacker can bypass 2FA.
Example
There are multiple ways to bypass 2FA, and it mainly depends on Implementation. Some common ways are as follows:
1. Client-Side generated 2FA code
- Some web applications generated 2FA code in the user's browser and send it to the user over SMS or mail.
- An attacker can intercept the request and see the 2FA code.
2. No Rate limit on 2FA code validation
- If there is no limit on the Validation request, attacker can easily brute-force 2FA code.
3. 2FA Backup codes not generated / stored securely
- 2FA generally has one backup option like backup codes, in case your mobile is stolen.
- These backup codes need to be generated in an insecure manner.
- IDOR in backup code generation endpoint will leak backup codes to attacker, bypassing 2FA using it.
4. No 2FA on Password Reset
- Generally, After the password reset, the user gets logged indirectly.
- Sometimes, Developers forgot to implement 2FA on forgot password page.
- So, an attacker can reset the password and directly gets logged in bypassing 2FA.
Impact
- If attacker has Username and password, an attacker can account by bypassing 2FA.
Prevention
- Never generate a 2FA code on the client-side.
- Implement Rate Limiting on 2FA Code Validation.
- Generated 2FA backup codes securely.
- Implement 2FA on the password reset page.