Skip to content

2FA bypass

What is 2FA?

Two-factor authentication, or 2FA, is a safety measure that requires users to confirm their identity using two separate authentication factors. Usually, these factors consist of two things: something the person possesses (like a security token) and something they know (like a password). By making it more difficult for unauthorized users to access accounts, even if they have the password, it provides another layer of security. By using this technique, the potential for password theft or breaches leading to illegal access is reduced.

Two-Factor Authentication implementation method

  • SMS-based 2FA: Users receive a one-time verification code via SMS on their registered mobile phone number, which they enter along with their password during login.

  • Authenticator App-based 2FA: Users generate one-time verification codes using an authenticator app installed on their smartphone, such as Google Authenticator, Microsoft Authenticator, or Authy.

  • Email-based 2FA: Users receive a one-time verification code via email, which they enter along with their password during login.

  • Hardware Tokens: Users use a physical device, such as a USB token or smart card, to generate one-time verification codes.

  • Biometric-based 2FA: Users verify their identity using biometric data, such as fingerprints, facial recognition, or voice recognition.

Bypass Methods

  • Response Manipulation: In response if "success":false, change it to "success":true

  • Status Code Manipulation: If Status Code is 4xx, try to change it to 200 OK and see if it bypass restrictions.

  • 2FA Code Leakage in Response: Check the response of the 2FA Code Triggering Request to see if the code is leaked.

  • JS File Analysis: Rare but some JS Files may contain info about the 2FA Code, worth giving a shot.

  • 2FA Code Reusability: Same code can be reused.

  • Lack of Brute-Force Protection: Possible to brute-force any length 2FA Code.

  • Missing 2FA Code Integrity Validation: Code for any user acc can be used to bypass the 2FA

  • CSRF on 2FA Disabling: No CSRF Protection on disabling 2FA, also there is no auth confirmation.

  • Password Reset Disable 2FA: 2FA gets disabled on password change/email change.

  • Backup Code Abuse: Bypassing 2FA by abusing the Backup code feature. Use the above-mentioned techniques to bypass Backup Code to remove/reset 2FA restrictions.

  • Clickjacking on 2FA Disabling Page: Iframing the 2FA Disabling page and social engineering victim to disable the 2FA.

  • Enabling 2FA doesn't expire Previously active Sessions: If the session is already hijacked and there is a session timeout vuln.

  • Time Based OTP bypass technique: Usage of old TOTP , usage old TOTP response also.

Bypass Mindmap