2 Factor Authentication Bypass

Transcript

1. Bypassing 2 Factor Authentication By Tuhin Bose

2. root@kali:~#whoami Bug Bounty Hunter Infosec Trainer at DSPH B. Tech

   in Cyber Security and Digital Forensics

3. Conclusion & QNA What is 2FA? Common 2FA Implementations in

   Web Applications 15 Different Techniques for Bypassing 2FA Live Hunting AGENDA Flow of 2FA

4. What is 2 Factor Authentication?

5. 2FA is an extra layer of security used to make

   sure that people trying to gain access to an online account are who they say they are.

6. Common 2FA Implementations in Web Applications

7. Common 2FA Implementations in Web Applications

8. Flow of 2FA

9. Flow of 2FA User enters his credentials. Server validates whether

   the given credentials matches. User will be asked to enter the 2FA. Server verifies whether the provided 2FA code is correct or not. User authenticated.

10. 15 Different Techniques for Bypassing 2FA

11. 15 Different Techniques for Bypassing 2FA Response/Status Code Manipulation. Brute

    force token. Token not expires after usage. Request 2 tokens from account A and B. Use the A's token in B's account. Try to go directly to the dashboard URL without solving the 2FA. If not success try adding the referral header to the 2FA page url while going to dashboard.

12. 15 Different Techniques for Bypassing 2FA Search the 2FA code

    in response. Search the 2FA code in JS files. CSRF/Clickjacking to disable 2FA. Request Manipulation Enabling 2FA doesn't expire previous sessions.

13. 15 Different Techniques for Bypassing 2FA No 2FA required for

    disabling 2FA. Password can be reset via forgot password without 2FA. Enter 0's in the code. Login using OAuth to bypass 2FA. Backup code abuse using the above methods.

14. @tuhin1729 [email protected]