Exploiting weak 2FA

· What is Two-Factor Authentication?

As name indicates two factor, it means we needs authentication of two layers in order to access any application/resource. Like first entering the password and then entering the a code or something sent to the mobile by the application we usually call it 2 Factor Authentication (2FA)

As breach towards credentials are more common, so company wants extra protection. For this company generally ask:

i. Asking Couple of security question which you entered at the time of registrations

ii. Sending OTP on your registered mobile no

iii. Authenticating you by using google authenticator

iv. Asking to click on a link sent over the Email

2FA is combination of you know (secret questions), you have (credit card, phone), you are (finger print, voiceprint).

2FA are of two types:

i. Hardware or Hard Token: Company provides user a small hardware device such as RSA token which looks like a pen drive that shows a random 6 digit value on the screen which refreshes after 30 mins.

ii. Software or Soft Token: OTP’s via SMS or on email, google authenticator comes under this.