How to spot poor implementations of 2FA

This content originally appeared on DEV Community and was authored by Julien Maury

I enable 2FA every time it's possible, and I encourage you to do the same.

2FA means two-factor authentication. It's an extra layer of security that forces you to enter one-time passwords (OTP) in addition to your classic credentials (login/passwords).

Most of the time, it's a series of 6-8 numbers that are sent by SMS or generated with a dedicated mobile app. This way, it's another device, for example, a smartphone, that holds the authentication factor.

Besides, even if your credentials are stolen or leaked, hackers won't be able to use them theoretically. The problem is that some implementations are flawed or prone to attacks.

Disclaimer

It's not an exhaustive list but a collection of simple observations.

7 signs of bad 2FA implementation

• the generated OTP does not seem to expire, even hours after
• you can access the URL directly, for example, your admin panel, so the 2FA can be totally bypassed
• the 2FA process depends on a header or a status code that can be modified from the client side
• there's no limit for login attempts with OTP, so hackers can Brute-Force the code easily*
• 2FA is automatically disabled during passwords recovery
• re-sending the code resets the limit of login attempts
• the 2FA procedures discloses sensitive information, like "we've sent an authentication code to +12277777777"

*6-8 numbers is the equivalent of a very weak password during a Brute-Force attack

How to fix the situation

Again, enabling 2FA is a valid choice, regardless of the implementation, but if you see something strange, like one of the 7 signs we've just saw, do not hesitate to report it to the apps/websites/services.

Fortunately, not all implementations are that bad. While even the most robust ones can be bypassed under specific conditions, 2FA hardens your security significantly.

Photo by Varvara Grabova.

This content originally appeared on DEV Community and was authored by Julien Maury

Print Share Comment Cite Upload Translate Updates

APA

Julien Maury | Sciencx (2022-05-07T19:06:36+00:00) How to spot poor implementations of 2FA. Retrieved from https://www.scien.cx/2022/05/07/how-to-spot-poor-implementations-of-2fa/

MLA

" » How to spot poor implementations of 2FA." Julien Maury | Sciencx - Saturday May 7, 2022, https://www.scien.cx/2022/05/07/how-to-spot-poor-implementations-of-2fa/

HARVARD

Julien Maury | Sciencx Saturday May 7, 2022 » How to spot poor implementations of 2FA., viewed ,<https://www.scien.cx/2022/05/07/how-to-spot-poor-implementations-of-2fa/>

VANCOUVER

Julien Maury | Sciencx - » How to spot poor implementations of 2FA. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2022/05/07/how-to-spot-poor-implementations-of-2fa/

CHICAGO

" » How to spot poor implementations of 2FA." Julien Maury | Sciencx - Accessed . https://www.scien.cx/2022/05/07/how-to-spot-poor-implementations-of-2fa/

IEEE

" » How to spot poor implementations of 2FA." Julien Maury | Sciencx [Online]. Available: https://www.scien.cx/2022/05/07/how-to-spot-poor-implementations-of-2fa/. [Accessed: ]

rf:citation

» How to spot poor implementations of 2FA | Julien Maury | Sciencx | https://www.scien.cx/2022/05/07/how-to-spot-poor-implementations-of-2fa/ |

Please log in to upload a file.

There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.