Attacking MFA

Common MFA bypass techniques can include:

• Phishing attacks to collect both factors

• Exploiting insecure backup/recovery methods

• Man-in-the-middle attacks

• Exploiting implementation weaknesses

Other learning resources:

• OWASP: https://owasp.org/www-community/controls/Multi-Factor_Authentication

• Duo Security: https://duo.com/docs/duosec-v1

• Google Authenticator: https://github.com/google/google-authenticator

Checklist

• Understand the MFA implementation

  • What factors are used?

  • What backup/recovery methods exist?

  • Is there a fall-back option to less secure methods?

• Go through the MFA processes

  • Initial enrollment process

  • Login process with MFA

  • Recovery/Backup process

  • Deactivation process

• Are there any implementation weaknesses?

  • Does the application allow "remember me" functionality?

  • Can OTPs be predicted or intercepted?

  • Are session tokens securely handled?

  • Is there a secure lockout mechanism after multiple failed attempts?

• Can we bypass MFA?

  • Can we bruteforce the token?

  • Exploiting insecure backup/recovery methods

  • Can a new device be added without proper verification?

  • Is there any notification on registration of a new device?

  • Can the notification be suppressed?

• Are there any backdoors?

  • Is there an alternative login flow that bypasses MFA?

  • Is there a less secure service that doesn't require MFA but grants similar access?

  • Are there any APIs or resources that do not enforce MFA?

MFA Code not tied to user

Get the MFA for one account and then in burp change the account while sending the request