- November 18, 2020
- Posted by: Swati.patel
- Category: Blogs

Two-factor authentication (2FA) adds an extra layer of security to the login accounts by asking for a verification code after you sign in with your email address and password. Two-Factor Authentication is the best way to protect your account even if your login credentials are being compromised. This Authentication method provides secure access to the end-users.
Login Credentials + One Time Code = 2FA
Ideally, Two-Factor Authentication is implemented on cryptocurrency exchangers, banking systems, and absolutely on all sites whose users accounts are of a certain value.
There are basically 4 steps involved in the working of a Two-Factor Authentication mechanism.
Figure 1: Steps involved in a 2FA mechanism
In general, there are two methods using which a one-time code (OTP) is delivered to registered users’ mobile numbers.
- Using a text message (via SMS)
- Using third-party software (like Authy, Google Authenticator, etc.)
Let us see how to bypass a Two-Factor Authentication and what methods are available to do so. Below are a few of the methods which we can try out during penetration testing on any web/mobile application if a Two-Factor Authentication is enabled.
- Request Manipulation
- Response Manipulation
- Brute Force Two-Factor Authentication Code
Attack Scenario 1: Request Manipulation
- Find a 2FA functionality within a web/mobile application.
- Enable 2FA for an account if it is not enabled by default.
- Log in to the application using a 2FA code that you’ve received on your registered mobile number.
- Enter a wrong 2FA code and intercept this request in a proxy tool like BurpSuite.
- From this captured request, remove the 2FA code parameter and its value. Then forward this request for further processing.
- See if you can still log in to the application thereby bypassing a 2FA mechanism as a result of lack of code validation at the server end.
Figure 2: Two-Factor Authentication(2FA) bypass via Request Manipulation
Attack Scenario 2: Response Manipulation
- Try to find a 2FA functionality within a web/mobile application.
- Enable 2FA for an account if it is not enabled by default.
- Log in to the application using a 2FA code that you’ve received on your registered mobile number.
- Enter a wrong 2FA code and intercept this request in a proxy tool like BurpSuite and send this request to the Repeater.
- Now enter a wrong code and intercept this request in BurpSuite, click on response to this request option, and replace this captured response by a valid code response.
- Forward this modified response and see how the application behaves. If you can log in, you have successfully bypassed a 2FA mechanism.
Figure 3: A Successful Two-Factor Authentication (2FA) without Response Manipulation
Figure 4: Two-Factor Authentication(2FA) bypass via Response Manipulation
Potential Impact:
If the Victim’s login credentials are compromised, an attacker can get full access to the account even if a 2FA is enabled.
Remediation:
- Apply validation checks on a 2FA code parameter and its value on both the client and server-side. The application should also throw an error message or redirect the users to the login page if the HTTP Response is altered by them.
- If a user enters a wrong 2FA code multiple times or a malicious user is trying to brute force an OTP then the application should detect such behavior and he/she should be blocked temporarily.
- The 2FA code should expire after a defined time interval based on the business requirement and this code should be unique every time someone requests it.