# Attacking MFA

## What is it?

Multi-Factor Authentication (MFA) is a method of confirming a user's identity by using multiple pieces of evidence (factors), typically something they know (like a password), something they have (like a physical token or a mobile device), and something they are (like biometric data).

**A simple example**

A web application requests a password (first factor - something the user knows), then a one-time password sent to a mobile device (second factor - something the user has). An attacker could attempt to bypass MFA by stealing both the user's password and the OTP, or by exploiting vulnerabilities in the MFA implementation.

Common MFA bypass techniques can include:

* Phishing attacks to collect both factors
* Exploiting insecure backup/recovery methods
* Man-in-the-middle attacks
* Exploiting implementation weaknesses

**Other learning resources:**

* OWASP: <https://owasp.org/www-community/controls/Multi-Factor\\_Authentication>
* Duo Security: <https://duo.com/docs/duosec-v1>
* Google Authenticator: <https://github.com/google/google-authenticator>

## Checklist

* [ ] Understand the MFA implementation
  * [ ] What factors are used?
  * [ ] What backup/recovery methods exist?
  * [ ] Is there a fall-back option to less secure methods?
* [ ] Go through the MFA processes
  * [ ] Initial enrollment process
  * [ ] Login process with MFA
  * [ ] Recovery/Backup process
  * [ ] Deactivation process
* [ ] Are there any implementation weaknesses?
  * [ ] Does the application allow "remember me" functionality?
  * [ ] Can OTPs be predicted or intercepted?
  * [ ] Are session tokens securely handled?
  * [ ] Is there a secure lockout mechanism after multiple failed attempts?
* [ ] Can we bypass MFA?
  * [ ] Can we bruteforce the token?
  * [ ] Exploiting insecure backup/recovery methods
  * [ ] Can a new device be added without proper verification?
  * [ ] Is there any notification on registration of a new device?
  * [ ] Can the notification be suppressed?
* [ ] Are there any backdoors?
  * [ ] Is there an alternative login flow that bypasses MFA?
  * [ ] Is there a less secure service that doesn't require MFA but grants similar access?
  * [ ] Are there any APIs or resources that do not enforce MFA?


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-mfa.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.