Vulnerabilities in multi-factor authentication
Last updated
Last updated
Some websites require users to prove their identity through various authentication factors.
Two-factor authentication (2FA) is based on something you know and something you have. 2FA usually requires a user to either both is password and a temporary verification code.
Verification codes are read by the user form a physical device of some kind that they pocess. High-security websites provide users with a dedicated device for this purpose, such as the RSA token, keypad devices used to access online banking or work laptop. This devices have the advantage of generating the verification code directly, as well as to increase the security of the authentication factors.
On the other hand, some websites send verification codes to mobile phone as a text message, which is open to exploitation:
The code is being transmitted via SMS instead of being generated by the device itself, creating a potential for the code to be intercepted.
There is always the risk of SIM swapping, where an attacker obtains a SIM card with the victim's phone number, receiving all SMS messages sent to to the victim, including the one containing the verification code.
If the user is first prompted to enter a password, and then prompted to enter a verification code on a separate page, the user is effectively in a "logged in" state before entering the verification code. In this case, we can test if we can skip to "logged-in only" pages after completing the first authentication step. Occasionally, we will find that a website doesn't actually check whether or not we completed the second step before loading the page.