Missing Failsafe
2FA Missing Failsafe
Overview of the Vulnerability
Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. Not providing a failsafe in the 2FA implementation in the application could prevent a user who has lost their 2FA device to an attacker from resetting the password of their account. An attacker can take advantage of this and potentially take over user accounts.
Business Impact
This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure.
Steps to Reproduce
Login to the application at: {{url}}
Navigate to the 2FA registration page at: {{url}}
Register for 2FA, and observe that the implementation provides no failsafe login methods, such as offline backup codes
Proof of Concept (PoC)
The screenshot(s) below demonstrates the missing 2FA failsafe:
{{screenshot}}
Recommendation(s)
There is no single technique to implement 2FA securely. However, the following best practices should be adhered to:
The 2FA code should be invalidated each time a new code is requested
Users should have access to a failsafe login method if they don’t have access to their 2FA implementation
2FA should be implemented for users upon sensitive actions such as login, change of password or security questions, elevation of user session, change of email address or phone number, and disabling of 2FA.
The uniquely generated OTP should expire
The page behind the 2FA step should not be able to be accessed directly by manipulating the URL
2FA should not be automatically disabled during the password recovery process
The 2FA procedure should not disclose any sensitive information. For example, do not disclose the unredacted phone number of a user
The 2FA process cannot depend on client-side modifiable header or status codes
Last updated