Methods to bypass a 2FA in Web/Mobile Applications

Two-factor authentication (2FA) adds an extra layer of security to the login accounts by asking for a verification code after you sign in with your email address and password. Two-Factor Authentication is the best way to protect your account even if your login credentials are being compromised. This Authentication method provides secure access to the end-users.

                                     Login Credentials + One Time Code = 2FA

Ideally, Two-Factor Authentication is implemented on cryptocurrency exchangers, banking systems, and absolutely on all sites whose users accounts are of a certain value. 

There are basically 4 steps involved in the working of a Two-Factor Authentication mechanism.

Figure 1: Steps involved in a 2FA mechanism

In general, there are two methods using which a one-time code (OTP) is delivered to registered users’ mobile numbers.

1. Using a text message (via SMS)
2. Using third-party software (like Authy, Google Authenticator, etc.)

Let us see how to bypass a Two-Factor Authentication and what methods are available to do so. Below are a few of the methods which we can try out during penetration testing on any web/mobile application if a Two-Factor Authentication is enabled.

1. Request Manipulation 
2. Response Manipulation
3. Brute Force Two-Factor Authentication Code

Attack Scenario 1: Request Manipulation

1. Find a 2FA functionality within a web/mobile application.
2. Enable 2FA for an account if it is not enabled by default.
3. Log in to the application using a 2FA code that you’ve received on your registered mobile number.
4. Enter a wrong 2FA code and intercept this request in a proxy tool like BurpSuite.
5. From this captured request, remove the 2FA code parameter and its value. Then forward this request for further processing.
6. See if you can still log in to the application thereby bypassing a 2FA mechanism as a result of lack of code validation at the server end.

Figure 2: Two-Factor Authentication(2FA) bypass via Request Manipulation

Attack Scenario 2: Response Manipulation

1. Try to find a 2FA functionality within a web/mobile application.
2. Enable 2FA for an account if it is not enabled by default.
3. Log in to the application using a 2FA code that you’ve received on your registered mobile number.
4. Enter a wrong 2FA code and intercept this request in a proxy tool like BurpSuite and send this request to the Repeater.
5. Now enter a wrong code and intercept this request in BurpSuite, click on response to this request option, and replace this captured response by a valid code response.
6. Forward this modified response and see how the application behaves. If you can log in, you have successfully bypassed a 2FA mechanism.

Figure 3: A Successful Two-Factor Authentication (2FA) without Response Manipulation

Figure 4: Two-Factor Authentication(2FA) bypass via Response Manipulation

Potential Impact:

If the Victim’s login credentials are compromised, an attacker can get full access to the account even if a 2FA is enabled.

Remediation:

1. Apply validation checks on a 2FA code parameter and its value on both the client and server-side. The application should also throw an error message or redirect the users to the login page if the HTTP Response is altered by them.
2. If a user enters a wrong 2FA code multiple times or a malicious user is trying to brute force an OTP then the application should detect such behavior and he/she should be blocked temporarily.
3. The 2FA code should expire after a defined time interval based on the business requirement and this code should be unique every time someone requests it.