2FA bypassing 101

A security method widely used nowadays in most web and mobile applications is 2FA. There has been a lot of talk about it these days, and some specialists are beginning to doubt its efficiency in protecting end users. To understand how secure this method is, we will see a simple demonstration of how it is possible to attack a mobile application account knowing only one authentication factor, in a vulnerable scenario created for this purpose.

Authentication factors

Two-factor authentication adds an extra layer of security to your account, i.e. an additional login step to prevent others from logging in even if they have access to your password. When logging into an online account, the basic level of authentication only requires the password for access, which is the first step in verifying identity.

With 2FA, an additional piece of information is added: the second layer, which is a piece of information that the user must provide in order to access their account. A typical example of the use of 2FA outside the Internet is when using an ATM, where to operate we need something you have (your bank card) and something you know (the PIN). The additional layer of authentication is one of three basic factors: something you know, something you have and something you are. Below, we detail the type of information that fits each category:

• Something You Know: This can be a PIN code, answers to security questions and, of course, your password.


• Something you have: This usually refers to a physical object, such as a security device (a small hardware device) or an ID card. It can also be a cell phone whose possession can be verified using a special application (such as Google Authenticator, or an SMS code).


• Something that is: This encompasses biometric data and is typically fingerprint or facial recognition (such as Apple's Touch ID and Face ID) and retina recognition.

Techniques for bypassing 2FA

There are a variety of techniques to attempt an attack against 2FA, some easier than others. Here is a list of the main ones:

• Clickjacking on 2FA Disable Feature
• Response Manipulation
• Status Code Manipulation
• 2FA Code Reusability
• CSRF on 2FA Disable Feature
• Backup Code Abuse
• Enabling 2FA Doesn’t Expire Previous Session
• 2FA Refer Check Bypass
• 2FA Code Leakage in Response
• JS File Analysis
• Lack of Brute-Force Protection
• Password Reset/Email Change - 2FA Disable
• Missing 2FA Code Integrity Validation
• Direct Request

Lab

In this opportunity we will analyze how it is possible to breach a 2FA using the 2FA Code Leakage in Response technique, and we will show step by step how to perform this type of execution. To exemplify this vulnerability we have downloaded the hpAndro 2FA mobile application together with BurpSuite. Taking into account that we know the existing users we can try to log in with the administrator credentials.

When intercepting the network with BurpSuite, we see that it does not have robust encryption and therefore allows capturing credentials in plain text.

Simultaneously, we display the OTP (One-Time Password) code to be able to enter as a second authentication factor.

As we have access to the two forms of authentication we proceed to log in.

Discussion

While this example is technically very basic, it allows us to see that 2FA is not always a totally secure method and that it has multiple ways of being breached, the debate is whether to strengthen the existing factors for the second authentication step, or to add an additional third factor, which is what we usually call MFA (Multiple Factor Authentication). We will continue to explore these issues in future posts.