The most common form of MFA in web applications is the use of a randomly generated number (four to eight digits) used as OTP that the user gets from a special device, a mobile app (such as Google Authenticator, Authy, 1Password, or LastPass Authenticator), or through an SMS or email sent by the server on request.
You can detect and take advantage of some implementation flaws in this process during a penetration test when the following conditions exist:
- OTP numbers are not completely random and can be predicted.
- OTPs are not linked to the user to whom they are assigned. This means that you can generate an OTP for one user and use it with another.
- The same password or token can be used multiple times.
- There is no limit for OTP submission attempts. This opens up the possibility of brute force attacks, which are more likely to be successful as OTPs are normally short strings of numbers.
- User information is not validated when sending the OTP by email or SMS, allowing an attacker to spoof the email address or phone number.
- The expiration time of the OTP is too long for the purposes of the application. This expands the time window for an attacker to get a valid, unused token.
- Newly generated OTPs don't invalidate previous ones, so for example, if a user requests a token or password multiple times for the same operation because the network failed on the first attempt(s), an attacker may use the earlier attempt to replicate the operation or perform another one that accepts the same token, even after the legitimate operation was already executed.
- Reliance on the device from where the application is accessed. Nowadays, people have banking applications, personal email, social networks, work email, and many other applications on their phones. Thus, you should think twice about using email, SMS, or mobile apps as a second factor of authentication.