Two Factor Authentication Checklist

  1. Check whether 2FA code can be bruteforced.

  2. Check whether 2FA code is unique for each user & other user code cannot be used.

  3. Check whether 2FA code be reused & doesn't have a specific expiry time.

  4. Response manipulation by modifying success status in place of failure, even though wrong 2FA is entered.

  5. Check where the secret QR code used for TOTP is stored, is it accessible publicly ? Can you access other user QR Code ? Is it stored in a file system, check it's permissions/acl. (similarly check for recovery codes)

  6. Check whether 2FA implemented in all the platforms (web/mobile/desktop), subdomains & products relying on same authentication mechanism.

  7. Check whether after reset password flow, 2FA is disabled.

  8. If remember me cookie is set, to login automatically in a frequently used device, Check if cookie is long, random & unique for each device & user.

  9. Check that disabling 2FA required confirmation like entering 2FA password, profile/user password etc otherwise, attacker might use CSRF, XSS or other attacks to disable 2FA.

  10. Check that enabling 2FA expires previously active sessions, otherwise attacker can use previously logged in session, if there is no session expiry.

  11. If application sets cookie with some privilege before 2FA, Try to access other API endpoints/pages of the application with this cookie.

  12. Check whether 2FA code is leaked in any of the previous responses which triggered 2FA codes.

  13. Check session cookie or javascript variables for 2fa related param, if it's checking whether 2fa is complete by assigning simple yes/no, change the value & check whether 2fa can be bypassed.

  14. Check whether resend 2FA code feature resets the rate limit of previous bruteforce attempt of 2FA code.

  15. Check whether default 2FA codes such as 000000, empty/null string are accepted.

PreviousJWTNextBrowser Security Features

Last updated