Two-factor authentication (2FA) is a specific type of multi-factor authentication (MFA) that strengthens access security by requiring two methods to verify your identity.
Two-factor authentication is used on top of the user’s password when logging into an account as a second form of authentication. The second layer of authentication can be a code provided through text message, authenticator applications, or it can be made up of a fingerprint or face recognition.
Two-factor authentication is a subset of multi-factor authentication. In the case of multi-factor authentication, the user is required to identify himself/herself in more than two different ways.
It is often considered as the ultimate solution to protect us against the dangers of identity theft and corporate data breaches. Sometimes data breaches may happen times even if the attackers have your email and password they need to verify identity in the form of two-factor authentication before they could access your account. Two-factor authentication acts as an additional layer of security.
This method is about bypassing the two-factor authentication mechanism using password reset functions. In almost all web applications the password reset function automatically logs the user into the application after the reset procedure is completed
Go to Change Password = > Request Password Reset Token => Use Password Reset token => Login to the web application
As it is observed that in this process flow there is no intervention of 2FA. An attacker can potentially abuse this mechanism and utilize an OAuth integration to log into the web application rather than using the username and password to do so.
Note:
For this bypass to work the attacker must have access to the OAuth integration account to log in on behalf of the user
Site.com requests Facebook for OAuth token= > Facebook verifies user account= > Facebook send callback code => Site.com logs a user in
The application doesn’t check for null or empty code in the 2FA authentication process. Sometimes the 2FA can be bypassed by sending a blank code or null code.
{OTP:’123456′} => {OTP:”}
{OTP:’123456′} => {OTP:’null’}
Sometimes developers would set two-factor authentication codes with defaults values like 111111, 000000, 123456, etc.
This method is about bypassing the 2FA by changing the Boolean values.
First Scenario: An attacker can pass the value as “true” in the OTP parameter. If the application checks for boolean conditions then it can be bypassed.
{OTP:’23243′} => {OTP:’true’}
Second Scenario: An attacker can pass the value as “false” in the parameter like OTP_Enabled or 2FA_enabled.
{mfa:’true’} => {mfa:’false’}
Sometimes 2FA is bypassed by completely removing the parameter and its values.
{email:’[email protected]’, password:’******”, otp:’323232′} =>
{email:’[email protected]’, password:’******”}
Usually, the length of the 2fa code is 4 to 6 characters which is often a number, and that makes to a possibility 151,800 which in a real-world scenario is easily brute force-able using a normal computer.
Advanced Brute Force Method: X-Forwarded-For: IP Header can be used to bypass Rate Limit Protection by spoofing the IP address.
X-Forwarded-For: 127.0.0.1
An attacker can utilize previously used or unused values of tokens to verify the device. However, this technique requires the attacker to have access to the previously generated values, which can be done via reversing the algorithm of the code generation app or intercepting a previously known code.
This method is about bypassing the 2FA by modifying the response.
First Scenario: Check if the response has any negative values when entering a wrong code. Then change the value to a positive one.
{success:’false’} => {success:’true’}
{valid:’false’} => {valid:’true’}
{success:’0′} => {success:’1′}
Second Scenario: Try to find the valid status code when entering the correct code. Now give any wrong OTP code and check the response code if it’s something like 3xx, 4xx then try to change it to 200 OK and see if it bypasses restrictions.
HTTP/1.1 400 Bad Request => HTTP/1.1 200 OK
An attacker is able to log in with an activation/confirmation link due to a lack of token expiring. It can be reused many times to bypass the two-factor authentication.
An application sometimes leaks a token in the response body or in the referrer header. So it’s important to look for that information while performing a 2FA bypass.
Note down all endpoints of the application and try to access those endpoints directly before the 2FA authentication process.
https://test.test.com/2FA/auth => https://test.test.com/dashboard
Reference links:
1.https://shahmeeramir.com/4-methods-to-bypass-two-factor-authentication-2b0075d9eb5f
2. https://kishanchoudhary.com/2fa/bypass.html
3. https://gauravnarwani.com/two-factor-authentication-bypass/
4. https://book.hacktricks.xyz/pentesting-web/2fa-bypass