There are multiple ways to bypass two-factor authentication. One of its kind here.

Introduction

My name is Surendra, I am a security researcher, bug bounty hunter & ethical hacker. Without a further do let’s get started.

The working mechanism of two-factor authentication:

Two-factor authentication (2FA) adds an extra layer of security to your online accounts by asking for a verification code after you sign in with your email address and password.

The verification code is generated by an application on your smartphone. To gain access to your account a potential attacker would need your email address, your password, as well as your phone. Two-factor authentication works on the principle of “Something you have” which in most cases is your handheld phone (Shier, 2014). There are two methods using which the one-time code is delivered to your phone.

a. Using a text message

b. Using a third-party software (Authy, Google Authenticator)

Using a text message

SMS

Web application vendors by using public SMS APIs can devise their own code generation algorithm to send the 2fa codes via SMS to the users. This method does not require any sort of internet access on the mobile phone, it utilizes GSM to send out the one-time codes.

Using third party software

Authy

One-time codes can also be sent by integrating the web application’s login mechanism with third-party software such as authy or google authenticator. This method required the phone to have internet access, however using which the app communicates with its cloud interface which communicates with the web application’s login function to generate and synchronize timings with the log in panel

1. Application authentication

2. Standard Login

3. OTP generation

4. OTP delivery

Currently, there are three different OATH OTP types that are the most widely used: event-based tokens, time-based tokens, and challenge-based tokens.

Event-Based Token (HOTP): An OTP system generates event-based tokens on demand using a combination of a static random key value (HMAC; the H in HOTP) and a dynamic value, such as a counter (IETF, 2005). The event-based token is usually valid for a variable amount of time but could be valid for an unlimited amount of time.

Time-Based Token (TOTP): An OTP system generates time-based tokens automatically every so often based on a static random key value and a dynamic time value (such as current time of day). The time-based token is only valid for a certain amount of time, such as 30 or 60 seconds (IETF, TOTP: Time-Based One-Time Password Algorithm, 2011). TOTP is a subset of HOTP.

Challenge-Based Token (OCRA): An OTP system generates challenge-based tokens on demand (IETF, OCRA: OATH Challenge-Response Algorithm, 2011), using a random challenge key that is provided by the authentication server at each unique user log-in. The challenge-based token is valid for a certain amount of time such as several minutes.

The current two-factor authentication mechanism is flawed from the aspect of its design to its implementation. The two-factor authentication system was designed originally to strengthen the security of customers and users of online platforms. It was never considered that such a system should be secure on its own, due to this very fact there are several workarounds discussed further in the paper which can be used to bypass 2fa under various circumstances (Etay, 2014). However, the prime focus here is towards the identification of flaws in the 2fa implementation and design.

In this paper, there will be four methods of bypassing two-factor authentication mechanisms in web-based systems.

Bypassing 2fa using conventional session management

This method is about bypassing the two-factor authentication mechanism using password reset functions. In all web applications, the password reset function automatically logs the user into the application after the reset procedure is completed (Securityweek, 2016). Most of the time, the 2fa system is not implemented on the login function after the password reset. The process flow works in the following way

To Change Password > Request Password Reset Token > Use Password Reset token > Login to the web application

Using this technique, the attacker can bypass the two-factor authentication in online platforms. Basically, the password reset token maintains a session with the application just after the reset has token place, which leads to the bypass.

Bypassing 2fa Via Oauth mechanism

An OAuth integration is a third-party login mechanism that allows a user to log in using a third-party account. This is normally a renowned web application such as Facebook or Google. A typical OAuth request works in the following way

Site.com requests Facebook for auth token > Facebook verifies user account > Facebook send callback code > Site.com logs user in

As it is observed that in this process flow there is no intervention of 2fa. An attacker can potentially abuse this mechanism and utilize an Oauth integration to log into the web application rather than using the username and password to do so (Shah, 2014). For this bypass to work the attacker must have access to the Oauth integration account to log in on behalf of the user

Bypassing 2fa via brute force

Web developers leave a very distinctive flaw when they forget to put rate limitations on the input fields, in the case of 2fa if the field is not rate limited there is a possibility of brute force attacks using which the attacker can brute force the 2fa code sent to the device (Bullock, 2016). Usually, the length of the 2fa code is 4 to 6 characters which often numbers, and that makes to a possibility 151,800 which in real-world scenario is easily brute forceable using a normal computer

Bypassing 2fa using race conditions

A race condition is termed as utilization of a previously known value recursively. It is an attack that takes advantage of the application’s ability to utilize previously used or unused tokens at a later point in time. Considering that from the 2fa perspective (Hoffmen, 2015), An attacker can utilize previously used or unused values of tokens to verify the device. However, this technique requires the attacker to have access to the previously generated values, which can be done via reversing the algorithm of the code generation app or intercepting a previously known code.

2fa should itself have guidelines and briefings using which its implementation can be done securely, most organizations perform default implementation of 2fa due to which such vulnerabilities continue to arise, and thus the security of their users is put at risk. 2fa is evolving into MFA (Multi-factor authentication) which follows the same architecture as 2fa, meaning that the vulnerabilities are also similar.

Future of Two Factor Authentication

MFA, however, utilizes not just the handheld device as a point of authentication but multiple devices involving the Internet of things, MFA also has the same working principle as described earlier but instead of just a single point of authentication, it utilizes every and any device in the internet of things network. It generates the code based on that device. MFA will also be subjected to the same conventional bypasses as 2fa so its required that its architecture be manipulated to make it more secure

Conclusion

Two-factor authentication despite all its vulnerabilities remains the best approach to secure user accounts in conventional web applications. However, that is not to say that the bypasses discussed should not be considered. Web developers should carefully review two-factor authentication mechanisms in their websites to ensure that common bypass techniques are dormant. However, two-factor authentication bypasses may emerge from time to time and different techniques may be involved in such attacks, the only way is keeping iterating one’s own approach to test two-factor authentication, that way it is easy predict the attacker’s methodology.

If you want to support my effort you can buy a coffee for me -

https://www.buymeacoffee.com/surendrapander

You can subscribe my YouTube channel for future hacking related videos and updates !!
Channel link — https://www.youtube.com/c/TechnicalSurendrachannel

Thanks for reading this blog , If you find it valuable then give a applaud 👏👏 ,
Follow me & Share this blog to your friends and other community . I will see you in next blog . Till then keep learning keep exploring !

Peace ✌ !

My social medial accounts -
Tweeter — https://twitter.com/technicalSure
YouTube — https://www.youtube.com/channel/UCZq87M0I0-zEfLuyyfEeE6Q
Instagram — https://www.instagram.com/surendra_choudhary1241/
Linkedin — https://www.linkedin.com/in/surendra-pander-4066761b7/