2FA Secret Cannot Be Rotated
2FA Secret Cannot be Rotated
Overview of the Vulnerability
Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. The 2FA secret cannot be rotated in the application which does not follow best practice for 2FA implementation.If an attacker were able to compromise a user's 2FA system, the user would not be able to invalidate their 2FA secret.
Business Impact
This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure.
Steps to Reproduce
Login to the application at: {{url}}
Setup two factor authentication
After the 2FA secret is created, observe that there is no way in which the secret can be rotated
Proof of Concept (PoC)
The screenshot(s) below demonstrates that the 2FA code can’t be rotated:
{{screenshot}}
Recommendation(s)
There is no single technique to implement 2FA securely. However, the following best practices should be adhered to:
The 2FA code should be invalidated each time a new code is requested
Users should have access to a failsafe login method if they don’t have access to their 2FA implementation
2FA should be implemented for users upon sensitive actions such as login, change of password or security questions, elevation of user session, change of email address or phone number, and disabling of 2FA.
The uniquely generated OTP should expire
The page behind the 2FA step should not be able to be accessed directly by manipulating the URL
2FA should not be automatically disabled during the password recovery process
The 2FA procedure should not disclose any sensitive information. For example, do not disclose the unredacted phone number of a user
The 2FA process cannot depend on client-side modifiable header or status codes
Last updated