DEV Community

jmau111
jmau111

Posted on • Originally published at blog.julien-maury.dev

How to spot poor implementations of 2FA

I enable 2FA every time it's possible, and I encourage you to do the same.

2FA means two-factor authentication. It's an extra layer of security that forces you to enter one-time passwords (OTP) in addition to your classic credentials (login/passwords).

Most of the time, it's a series of 6-8 numbers that are sent by SMS or generated with a dedicated mobile app. This way, it's another device, for example, a smartphone, that holds the authentication factor.

Besides, even if your credentials are stolen or leaked, hackers won't be able to use them theoretically. The problem is that some implementations are flawed or prone to attacks.

Disclaimer

It's not an exhaustive list but a collection of simple observations.

7 signs of bad 2FA implementation

  • the generated OTP does not seem to expire, even hours after
  • you can access the URL directly, for example, your admin panel, so the 2FA can be totally bypassed
  • the 2FA process depends on a header or a status code that can be modified from the client side
  • there's no limit for login attempts with OTP, so hackers can Brute-Force the code easily*
  • 2FA is automatically disabled during passwords recovery
  • re-sending the code resets the limit of login attempts
  • the 2FA procedures discloses sensitive information, like "we've sent an authentication code to +12277777777"

*6-8 numbers is the equivalent of a very weak password during a Brute-Force attack

How to fix the situation

Again, enabling 2FA is a valid choice, regardless of the implementation, but if you see something strange, like one of the 7 signs we've just saw, do not hesitate to report it to the apps/websites/services.

Fortunately, not all implementations are that bad. While even the most robust ones can be bypassed under specific conditions, 2FA hardens your security significantly.

Discussion (0)