Tackling the vulnerabilities that can occur in multi-factor authentication mechanisms is important for enterprises.
FREMONT, CA: Cybercriminals have more than 15 billion stolen credentials to select from. If they choose one firm, they could take over the bank accounts, health care records, company secrets, and many more. Multi-factor authentication is essential, as it makes stealing information harder for the average criminal. The less enticing the data, the more likely those thieves will select someone else to target. Two-factor authentication is secure than single-factor authentication. However, it is only ever as secure as its deployment. Poorly deployed two-factor authentication can be beaten or even bypassed, just as single-factor authentication can.
Full benefits of multi-factor authentication are only gained by verifying multiple factors. Verifying the same factor in two ways is not true two-factor authentication. Email-based 2FA is one example. Although the user has to offer a password and a verification code, evaluating the code only depends on them knowing the login credentials for their email account. Therefore, the knowledge authentication factor is merely being verified twice. Verification codes are typically read by the user from a physical device of some kind.
At times, the deployment of two-factor authentication is flawed to the point where it can be bypassed fully. If the user is prompted to enter a password and then prompted to give a verification code on a page, they are effectively logged in before they have entered the verification code. It is worth testing to see if users can directly skip to logged-in only pages after completing the first authentication step. Occasionally, users will find that a website doesn't check whether they completed the second step before loading it. Flawed logic in two-factor authentication means that the website doesn't verify that the same user is completing the second step after a user has completed the login step. This is extremely harmful if the attacker can brute-force the verification code as it would enable them to log in to users' accounts based fully on their username. They would never even require to know the user's password.