Bypassing 2 Factor Authentication By Tuhin Bose

root@kali:~#whoami Bug Bounty Hunter Infosec Trainer at DSPH B. Tech in Cyber Security and Digital Forensics

Conclusion & QNA What is 2FA? Common 2FA Implementations in Web Applications 15 Different Techniques for Bypassing 2FA Live Hunting AGENDA Flow of 2FA

What is 2 Factor Authentication?

2FA is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are.

Common 2FA Implementations in Web Applications

Common 2FA Implementations in Web Applications

Flow of 2FA

Flow of 2FA User enters his credentials. Server validates whether the given credentials matches. User will be asked to enter the 2FA. Server verifies whether the provided 2FA code is correct or not. User authenticated.

15 Different Techniques for Bypassing 2FA

15 Different Techniques for Bypassing 2FA Response/Status Code Manipulation. Brute force token. Token not expires after usage. Request 2 tokens from account A and B. Use the A's token in B's account. Try to go directly to the dashboard URL without solving the 2FA. If not success try adding the referral header to the 2FA page url while going to dashboard.

15 Different Techniques for Bypassing 2FA Search the 2FA code in response. Search the 2FA code in JS files. CSRF/Clickjacking to disable 2FA. Request Manipulation Enabling 2FA doesn't expire previous sessions.

15 Different Techniques for Bypassing 2FA No 2FA required for disabling 2FA. Password can be reset via forgot password without 2FA. Enter 0's in the code. Login using OAuth to bypass 2FA. Backup code abuse using the above methods.

@tuhin1729 [email protected]