By Pass Two-Factor-Authentication


Whats Two-Factor-Authentication?

Two Factor Authentication, commonly perceived as the 2fa method, is a security-based authentication that consists of two separate identification processes, which accepts email or phone number digest as the secondary utility. This auth system frequently demands 4 or 6 digit numbers as their second value after the password for authentication.

How does 2FA Works?

Two-Factor Authentication (2FA) acts by attaching an extra layer of protection. It requires an additional credential beyond just the username and password to gain access.

History Behind

Independent researcher Laxman Muthiyah earned a $30,000 bug bounty from Facebook after identifying a flaw in the Instagram mobile recovery process that would allow account takeover for any user via mass brute-force campaigns. Instagram’s mobile recovery flow involves a user obtaining a six-digit passcode to their mobile can two-factor account authentication (2FA). Six digits mean there are 1 million possible combinations of digits making up the codes. Therefore, if we can try all the 1 million codes on the verify-code endpoint, we will be able to change the password of any account.


If OTP verification is not correctly prepared, anyone can bypass this by a brute force attack. The vulnerabilities arise from fundamental development bases: None rate limiting on an unsuccessful attempt and No new OTP policy on X unsuccessful attempts. By setting up these two operations in our application, we can avoid OTP code brute-forcing from happening.


We can easily implement a brute-force attack with Burp Suite. Now we Loggin toward the website using the phone number and enter the wrong OTP code to intercept on burp suite. After intercepting on burp suite, then we can post the verified OTP API call to the intruder and picking the OTP placeholder, and add it for brute force attack. Following placing the placeholder, we will proceed to the payload tab, modify the payload type to numbers and change the payload options as desired, and start the attack. Presently the result will be noticed throw a change in OTP rate responses we get.


2FA authentications are also vulnerable when it comes to non-moderation in the term of unsuccessful attempts. We can comfortably avoid these attacks by developing a reliable OTP method with more severe rules for users as greater privacy for them.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store