2FA Code is Not Updated After New Code is Requested

2FA Code is Not Updated After New Code is Requested

Overview of the Vulnerability

Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. A 2FA code is not updated when a new code is requested in the application which does not follow best practice for 2FA implementation. An attacker can take advantage of this weak 2FA implementation and potentially take over user accounts.

Business Impact

This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure.

Steps to Reproduce

  1. Login to the application at: {{url}}

  2. When the 2FA step of the login is reached, request a code

  3. When the first code is received, request a new code and verify that the second code is also received

  4. Observe that the first and second code are identical, demonstrating that the 2FA code is not updated when a new code is requested

Proof of Concept (PoC)

The screenshot(s) below demonstrates that the 2FA code is not updated when a new code is requested:

{{screenshot}}

Recommendation(s)

There is no single technique to implement 2FA securely. However, the following best practices should be adhered to:

  • The 2FA code should be invalidated each time a new code is requested

  • Users should have access to a failsafe login method if they don’t have access to their 2FA implementation

  • 2FA should be implemented for users upon sensitive actions such as login, change of password or security questions, elevation of user session, change of email address or phone number, and disabling of 2FA.

  • The uniquely generated OTP should expire

  • The page behind the 2FA step should not be able to be accessed directly by manipulating the URL

  • 2FA should not be automatically disabled during the password recovery process

  • The 2FA procedure should not disclose any sensitive information. For example, do not disclose the unredacted phone number of a user

  • The 2FA process cannot depend on client-side modifiable header or status codes

PreviousOld 2FA Code Is Not Invalidated After New Code is GeneratedNext2FA Secret Cannot Be Rotated

Last updated