DEV Community

spO0q
spO0q

Posted on • Edited on

7 2

How to spot poor implementations of 2FA

I enable 2FA every time it's possible, and I encourage you to do the same.

2FA means two-factor authentication. It's an extra layer of security that forces you to enter one-time passwords (OTP) in addition to your classic credentials (login/passwords).

Most of the time, it's a series of 6-8 numbers that are sent by SMS or generated with a dedicated mobile app. This way, it's another device, for example, a smartphone, that holds the authentication factor.

Besides, even if your credentials are stolen or leaked, hackers won't be able to use them theoretically. The problem is that some implementations are flawed or prone to attacks.

Disclaimer

It's not an exhaustive list but a collection of simple observations.

7 signs of bad 2FA implementation

  • the generated OTP does not seem to expire, even hours after
  • you can access the URL directly, for example, your admin panel, so the 2FA can be totally bypassed
  • the 2FA process depends on a header or a status code that can be modified from the client side
  • there's no limit for login attempts with OTP, so hackers can Brute-Force the code easily*
  • 2FA is automatically disabled during passwords recovery
  • re-sending the code resets the limit of login attempts
  • the 2FA procedures discloses sensitive information, like "we've sent an authentication code to +12277777777"

*6-8 numbers is the equivalent of a very weak password during a Brute-Force attack

How to fix the situation

Again, enabling 2FA is a valid choice, regardless of the implementation, but if you see something strange, like one of the 7 signs we've just saw, do not hesitate to report it to the apps/websites/services.

Fortunately, not all implementations are that bad. While even the most robust ones can be bypassed under specific conditions, 2FA hardens your security significantly.

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (0)

👋 Kindness is contagious

Explore a sea of insights with this enlightening post, highly esteemed within the nurturing DEV Community. Coders of all stripes are invited to participate and contribute to our shared knowledge.

Expressing gratitude with a simple "thank you" can make a big impact. Leave your thanks in the comments!

On DEV, exchanging ideas smooths our way and strengthens our community bonds. Found this useful? A quick note of thanks to the author can mean a lot.

Okay