30.6 C
Wednesday, May 18, 2022

Hacker’s Top Methods To Bypass 2FA And Otp

Must read

Pro MCrackerhttps://hackbyte.org
I Am MCracker From India, I Am A Pentester And A Blogger.


This article is only for education purpose, if you misuse this information then only you will be responsible for it and not hackbyte.

Hi Hackies,

Welcome to Hackbyte, Now We Are telling You About How Hackers Bypass 2FA And Otp’s Methods So Let’s Start.

What Is 2FA And Otp?

2FA ( Two Factor Authentication) is an authentication protocol where access is only granted after providing two pieces of evidence to an authentication mechanism typically a Password and an OTP (One Time Token). To access an account protected with 2FA you need both the password and a secret token, this serves as an extra layer of security. To successfully bypass 2FA means you can gain access to a 2FA protected account without the 2FA code, just the email and password.

Bypassing two-factor authentication Methods

Direct bypass

Fuck the 2FA, just try to access the next endpoint directly (you need to know the path of the next endpoint). If this doesn’t work, try to change the Referrer header as if you came from the 2FA page.

Reusing token

Maybe you can reuse an already used token inside the account to authenticate.

Read Also  Cross-Site Script Incusion(XSSI) |Widespread Web Vulnerability

Sharing unused tokens

Check if you can get for your account a token and try to use it to bypass the 2FA in a different account.

Leaked Token

Is the token leaked on a response from the web application?

Session permission

Using the same session start the flow using your account and the victims account. When reaching the 2FA point with both account, complete the 2FA with your account but do not access the next part. Instead of that, try to access to the next step with the victims account floe. If the back-end only set a boolean inside your sessions saying that you have successfully passed the 2FA you will be able to bypass the 2FA of the victim.

Password reset function

In almost all web applications the password reset function automatically logs the user into the application after the reset procedure is completed. Check if a **mail **is sent with a **link **to reset the password and if you can reuse that **link **to reset the password as many times as you want (even if the victim changes his email address).


If you can compromise the account of the user in a trusted OAuth platform (Google, Facebook…)

BruteForce Due to Lack of rate limit

There is any limit in the amount of codes that you can try, so you can just brute force it. Be careful with a possible “silent” rate-limit, always try several codes and then the real one to confirm the vulnerability.

Read Also  Terminologies In Hacking - Must Know

BruteForce due to Flow rate limit but no rate limit

In this case there is a flow rate limit (you have to brute force it very slowly: 1 thread and some sleep before 2 tries) but no rate limit. So with enough time you can be able to find the valid code.

BruteForce due to Re-send code reset the limit

There is a rate limit but when you “resend the code” the same code is sent and the rate limit is reset. Then, you can brute force the code while you resend it so the rate limit is never reached.

BruteForce due to Lack of rate limit in user’s account

Sometimes you can configure the 2FA for some actions inside your account (change mail, password…). However, even in cases where there was a rate limit when you tried to log in, there isn’t any rate limit protecting this actions.

Lack of rate limit re-sending the code via SMS

You want be able to bypass the 2FA but you will be able to waste money of the company.

Infinite OTP regeneration

If you can generate a new OTP infinite times, the** OTP is simple enough** (4 numbers), and you can try up to 4 or 5 tokens per generated OTP, you can just try the same 4 or 5 tokens every time and generate OTPs until it matches the ones you are using.


Check if there is a CSRF or a Clickjacking vulnerability to disable the 2FA.

Read Also  Cross-site WebSocket hijacking (CSWSH)| Hacking WebSocket

Guessable cookie

If the remember me functionality uses a new cookie with a guessable code, try to guess it.


If you find that the 2FA is using an API located under a /v*/ directory (like “/v3/”), this probably means that there are older API endpoints that could be vulnerable to some kind of 2FA bypass.

Previous sessions

When the 2FA is enabled, previous sessions created should be ended.This is because when a client has his account compromised he could want to protect it activating the 2FA, but if the previous sessions aren’t ended, this won’t protect him.

Improper access control to backup codes

Backup codes are being generated immediately after 2FA is enabled and are available on a single request. After each subsequent call to the request, the codes can be regenerated or remain unchanged (static codes). If there are CORS misconfigurations/XSS vulnerabilities and other bugs that allow you to “pull” backup codes from the response’ request of the backup code endpoint, then the attacker could steal the codes and bypass 2FA if the username and password are known.

Information Disclosure

If in the 2FA page appears some confidential information that you didn’t know previously (like the phone number) this can be considered an information disclosure vulnerability.

Password-Reset == disable 2fa

  • Create an Account and Turn On 2FA.2.Logout from that account.3.Now, Go to forget Password-Reset page.4.Change your password.5.Now try to log in.6.If you are not asked to enter a 2FA code, You can report.

More articles



Please enter your comment!
Please enter your name here

Latest article