> For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-mfa.md). # Attacking MFA ## What is it? Multi-Factor Authentication (MFA) is a method of confirming a user's identity by using multiple pieces of evidence (factors), typically something they know (like a password), something they have (like a physical token or a mobile device), and something they are (like biometric data). **A simple example** A web application requests a password (first factor - something the user knows), then a one-time password sent to a mobile device (second factor - something the user has). An attacker could attempt to bypass MFA by stealing both the user's password and the OTP, or by exploiting vulnerabilities in the MFA implementation. Common MFA bypass techniques can include: * Phishing attacks to collect both factors * Exploiting insecure backup/recovery methods * Man-in-the-middle attacks * Exploiting implementation weaknesses **Other learning resources:** * OWASP: * Duo Security: * Google Authenticator: ## Checklist * [ ] Understand the MFA implementation * [ ] What factors are used? * [ ] What backup/recovery methods exist? * [ ] Is there a fall-back option to less secure methods? * [ ] Go through the MFA processes * [ ] Initial enrollment process * [ ] Login process with MFA * [ ] Recovery/Backup process * [ ] Deactivation process * [ ] Are there any implementation weaknesses? * [ ] Does the application allow "remember me" functionality? * [ ] Can OTPs be predicted or intercepted? * [ ] Are session tokens securely handled? * [ ] Is there a secure lockout mechanism after multiple failed attempts? * [ ] Can we bypass MFA? * [ ] Can we bruteforce the token? * [ ] Exploiting insecure backup/recovery methods * [ ] Can a new device be added without proper verification? * [ ] Is there any notification on registration of a new device? * [ ] Can the notification be suppressed? * [ ] Are there any backdoors? * [ ] Is there an alternative login flow that bypasses MFA? * [ ] Is there a less secure service that doesn't require MFA but grants similar access? * [ ] Are there any APIs or resources that do not enforce MFA? --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-mfa.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.