Attacking MFA

What is it?

Multi-Factor Authentication (MFA) is a method of confirming a user's identity by using multiple pieces of evidence (factors), typically something they know (like a password), something they have (like a physical token or a mobile device), and something they are (like biometric data).

A simple example

A web application requests a password (first factor - something the user knows), then a one-time password sent to a mobile device (second factor - something the user has). An attacker could attempt to bypass MFA by stealing both the user's password and the OTP, or by exploiting vulnerabilities in the MFA implementation.

Common MFA bypass techniques can include:

• Phishing attacks to collect both factors

• Exploiting insecure backup/recovery methods

• Man-in-the-middle attacks

• Exploiting implementation weaknesses

Other learning resources:

• OWASP: https://owasp.org/www-community/controls/Multi-Factor_Authentication

• Duo Security: https://duo.com/docs/duosec-v1

• Google Authenticator: https://github.com/google/google-authenticator

Checklist

• Understand the MFA implementation

  • What factors are used?

  • What backup/recovery methods exist?

  • Is there a fall-back option to less secure methods?

• Go through the MFA processes

  • Initial enrollment process

  • Login process with MFA

  • Recovery/Backup process

  • Deactivation process

• Are there any implementation weaknesses?

  • Does the application allow "remember me" functionality?

  • Can OTPs be predicted or intercepted?

  • Are session tokens securely handled?

  • Is there a secure lockout mechanism after multiple failed attempts?

• Can we bypass MFA?

  • Can we bruteforce the token?

  • Exploiting insecure backup/recovery methods

  • Can a new device be added without proper verification?

  • Is there any notification on registration of a new device?

  • Can the notification be suppressed?

• Are there any backdoors?

  • Is there an alternative login flow that bypasses MFA?

  • Is there a less secure service that doesn't require MFA but grants similar access?

  • Are there any APIs or resources that do not enforce MFA?