No Rate Limiting on OTP

Description

OTP (One time password) is an extra layer of security known as 2-Factor Authentication (2FA). Generally, after authentication with Username password, OTP is asked, which is sent on Registered mobile number or email.

2FA is added so that even if the actual username password gets compromised, attackers should not allow to login.

Generally, OTP is a random number with 4-digit or 6-digits.

If there is no limit on OTP verification, the attacker can easily brute-force it.

with 4 digit ---> 10,000 combinations are possible. with 6 digit ---> 10,00,000 combinations are possible.

With a single system, an attacker can send more 1000 Request/sec

So, to brute force 4-digit OTP, it takes only 10 Sec! and to brute force 6-digit OTP, it takes about 15 min

Example

Give Real example here

Impact

  • Account takeover is possible.

Prevention

  • Implement rate-limiting in your application based on source IP as well as active session.
  • Block that IP / Session if you are getting multiple requests even after sending 429 Too Many Requests response.