Old 2FA Code Is Not Invalidated After New Code is Generated

Old 2FA Code is Not Invalidated After New Code is Generated

Overview of the Vulnerability

Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. An older 2FA code is not invalidated when a new code is generated in the application. This could allow an attacker to perform a replay attack. In this kind of attack, an attacker can use older unused 2FA codes to bypass the 2FA implementation of the application.

Business Impact

This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure.

Steps to Reproduce

  1. Login to the application at: {{url}}

  2. When the 2FA step of the login is reached, request a code

  3. When the first code is received, request a new code and verify that the second code is also received

  4. Input the first, older code into the 2FA input

  5. Observe that the application allows the use of the first code after the second was generated, meaning it was not invalidated

Proof of Concept (PoC)

The screenshot(s) below demonstrates the old 2FA code not being invalidated:

{{screenshot}}

Recommendation(s)

There is no single technique to implement 2FA securely. However, the following best practices should be adhered to:

  • The 2FA code should be invalidated each time a new code is requested

  • Users should have access to a failsafe login method if they don’t have access to their 2FA implementation

  • 2FA should be implemented for users upon sensitive actions such as login, change of password or security questions, elevation of user session, change of email address or phone number, and disabling of 2FA.

  • The uniquely generated OTP should expire

  • The page behind the 2FA step should not be able to be accessed directly by manipulating the URL

  • 2FA should not be automatically disabled during the password recovery process

  • The 2FA procedure should not disclose any sensitive information. For example, do not disclose the unredacted phone number of a user

  • The 2FA process cannot depend on client-side modifiable header or status codes

PreviousMissing FailsafeNext2FA Code is Not Updated After New Code is Requested

Last updated