Slide 1

Slide 1 text

Bypassing 2 Factor Authentication By Tuhin Bose

Slide 2

Slide 2 text

root@kali:~#whoami Bug Bounty Hunter Infosec Trainer at DSPH B. Tech in Cyber Security and Digital Forensics

Slide 3

Slide 3 text

Conclusion & QNA What is 2FA? Common 2FA Implementations in Web Applications 15 Different Techniques for Bypassing 2FA Live Hunting AGENDA Flow of 2FA

Slide 4

Slide 4 text

What is 2 Factor Authentication?

Slide 5

Slide 5 text

2FA is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are.

Slide 6

Slide 6 text

Common 2FA Implementations in Web Applications

Slide 7

Slide 7 text

Common 2FA Implementations in Web Applications

Slide 8

Slide 8 text

Flow of 2FA

Slide 9

Slide 9 text

Flow of 2FA User enters his credentials. Server validates whether the given credentials matches. User will be asked to enter the 2FA. Server verifies whether the provided 2FA code is correct or not. User authenticated.

Slide 10

Slide 10 text

15 Different Techniques for Bypassing 2FA

Slide 11

Slide 11 text

15 Different Techniques for Bypassing 2FA Response/Status Code Manipulation. Brute force token. Token not expires after usage. Request 2 tokens from account A and B. Use the A's token in B's account. Try to go directly to the dashboard URL without solving the 2FA. If not success try adding the referral header to the 2FA page url while going to dashboard.

Slide 12

Slide 12 text

15 Different Techniques for Bypassing 2FA Search the 2FA code in response. Search the 2FA code in JS files. CSRF/Clickjacking to disable 2FA. Request Manipulation Enabling 2FA doesn't expire previous sessions.

Slide 13

Slide 13 text

15 Different Techniques for Bypassing 2FA No 2FA required for disabling 2FA. Password can be reset via forgot password without 2FA. Enter 0's in the code. Login using OAuth to bypass 2FA. Backup code abuse using the above methods.

Slide 14

Slide 14 text

@tuhin1729 [email protected]