Learning Web-Sec - Day 15 - Authentication Vulnerability

Multi Factor Authentication

Multi Factor Authentication Is based upon Something You Know and Something You Have. This usually asks for two things. First, the password i.e. something you know, and probably a security code which changes with time that can be obtained from a device or a mail i.e. something you have.

Multi-Factor Authentication is of use only when different factors are verified. i.e. Verifying a same factor in two different ways is not true two-factor authentication.

Example: Authenticating with OTP sent on mail after password.

In this case only the factor of knowledge is being verified twice. First for getting to Two-Factor Authentication and then for Logging in Mail Account for OTP. In this case if the user uses same password or a password with some pattern which can be guessed based on the previously known password for both the accounts, this authentication method would fail.

Two-Factor Authentication Tokens

Verification codes are usually read by the user from a physical device of some kind. Nowadays, Websites use a dedicated mobile application such as Google or Microsoft’s Authenticator where the user inputs a code or scans a QR code, and the time-based code is calculated in the device. Which changes every 30 seconds.

Some websites send verification codes on the user’s mobile phone. While this is verifying something you have, it is open to abuse. For example, by being intercepted/SIM swapping.

Bypassing Two-Factor Authentication

Occasionally, the implementation of two-factor authentication is insecure to the point that can be bypassed entirely.

If the user is first prompted to enter a password, and then prompted to enter a verification code in a new window/page, the user is in a logged in state before they have entered the verification code. Sometimes the website doesn’t even check if you have completed the verification step or not before loading the page.

Flawed 2FA logic

If the two-factor-authentication is not implemented properly, It can be bypassed. For example, if the website doesn’t verify if the multi-factor authentication is being carried out by the same user who tried to login in the first place.

Brute-forcing 2FA verification codes

Just like we did in previous blogs with passwords, We can try brute-forcing the verification codes. The code is usually a simple 4–6 digit number. If the website doesn’t keep a track for the number of tries for 2FA code, cracking the code with brute-force is easy.

Websites with proper protection log the user out after a number of incorrect verification tries. In the next blog, we will try breaking the multi-factor authentication of websites.

Follow me for more such content as it keeps me motivated for writing such detailed blogs and walk-through.