Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2 Factor Authentication Bypass

Tuhin Bose
August 18, 2021

2 Factor Authentication Bypass

Full Session Link: https://youtu.be/X2WfhBYQ2fY

Tuhin Bose

August 18, 2021
Tweet

More Decks by Tuhin Bose

Other Decks in Technology

Transcript

  1. Conclusion & QNA What is 2FA? Common 2FA Implementations in

    Web Applications 15 Different Techniques for Bypassing 2FA Live Hunting AGENDA Flow of 2FA
  2. 2FA is an extra layer of security used to make

    sure that people trying to gain access to an online account are who they say they are.
  3. Flow of 2FA User enters his credentials. Server validates whether

    the given credentials matches. User will be asked to enter the 2FA. Server verifies whether the provided 2FA code is correct or not. User authenticated.
  4. 15 Different Techniques for Bypassing 2FA Response/Status Code Manipulation. Brute

    force token. Token not expires after usage. Request 2 tokens from account A and B. Use the A's token in B's account. Try to go directly to the dashboard URL without solving the 2FA. If not success try adding the referral header to the 2FA page url while going to dashboard.
  5. 15 Different Techniques for Bypassing 2FA Search the 2FA code

    in response. Search the 2FA code in JS files. CSRF/Clickjacking to disable 2FA. Request Manipulation Enabling 2FA doesn't expire previous sessions.
  6. 15 Different Techniques for Bypassing 2FA No 2FA required for

    disabling 2FA. Password can be reset via forgot password without 2FA. Enter 0's in the code. Login using OAuth to bypass 2FA. Backup code abuse using the above methods.