Two-Factor(2FA) Authentication – Ultimate Security? It Can Be Bypassed

If you are thinking you are safe internet user and your digital assets, digital presence is secured because you are using two-factor authentication, hold on…

I will describe how these two-factor authentications can be bypass.

Following are some 2FA Bypass Vulnerabilities techniques:

1. Response Manipulation

In response, if “success”: false Change it to “success”: true

2. Status Code Manipulation

If Status Code is 4xx try to change it to 200 OK and see if it bypasses restrictions

3. 2FA Code Leakage in Response

Check the response of the two-factor authentication (2FA) Code Triggering Request to see if the code is leaked

4. JS File Analysis

Rare but some JS Files may contain info about the 2FA Code, worth giving a shot

5. 2FA Code Reusability

The same code can be reused

6. Lack of Brute-Force Protection

Possible to brute-force any length 2FA Code

7. Missing 2FA Code Integrity Validation

Code for any user account can be used to bypass the 2FA or two-factor authentication

8. CSRF on 2FA Disabling

No CSRF Protection on disabling 2FA, also there is no auth confirmation

9. Password Reset Disable 2FA

2FA gets disabled on password change/email change 2 | P a g e Debraj Basak Security Research Analyst

10. Backup Code Abuse

Bypassing 2FA by abusing the Backup code feature Use the above-mentioned techniques to bypass Backup Code to remove/reset 2FA reset restrictions

11. Clickjacking on 2FA Disabling Page

I-framing the 2FA Disabling page and social engineering victim to disable the 2FA

12. Enabling 2FA doesn’t expire previously active Sessions

If the session is already hijacked and there is a session timeout vulnerability

13. Bypass 2FA with null or 000000

Enter the code 000000 or null to bypass two-factor authentication protection. Steps: – 1. Enter “null” in 2FA code 2. Enter 000000 in 2FA code 3. Send empty code 4. Open a new tab in the same browser and check if other API endpoints are accessible without entering 2FA

14. Google Authenticator Bypass

Steps:

1. Set-up Google Authenticator for 2FA
2. Now, 2FA is enabled
3. Go on password reset page and change your password
4. If you are website redirect you to your dashboard then 2FA (Google Authenticator) is bypassed

15. Bypassing OTP in registration forms by repeating the form submission multiple times using repeater in BurpSuite

Steps:

1. Create an account with a non-existing phone number
2. Intercept the Request in BurpSuite
3. Send the request to the repeater and forward
4. Go to the Repeater tab and change the non-existent phone number to your phone number
5. If you got an OTP on your phone, try using that OTP to register that non-existent number
6. Either one of the Vulnerabilities of any of them doesn’t need to present on your Web application. But a Black Hat Hacker will check all of the possibilities and break into your server.

So, be very careful while writing the web service program and very carefully deal with the API.

Lastly don’t share your credentials with anyone and don’t become a prey of a phishing attack.