[Owasp-testing] Testing Multiple Factors Authentication

Giorgio Fedon giorgio.fedon at gmail.com
Sat Jun 28 15:58:03 EDT 2008

I think that in the Authentication section, would fit a section about
testing Multiple Factors Authentication.

Multiple Factors Authentications in a real world scenario include:

-	One-time password (OTP) generator tokens
-	Crypto devices like USB tokens or smart cards, equipped with X.509
-	Random OTP sent via SMS
-	Personal information that only the legitimate user is supposed to

Any of these solutions could have specific vulnerabilities, and need
to be tested accurately. A multiple factor authentication schema is a
common way to prevent online phishing, just in case that is correctly
implemented. Let's assume that the OTP token in use permits several
transaction during a timeframe of 30 seconds; in this particular case,
an attacker may be able to submit multiple requests via a common
credential theft performed through a phishing attack.

USB tokens vary from vendor to vendor. Some of them authorize a user
when they are plugged, and do not authorize operations when they are
unplugged. It seems to be a good behavior, but what it look likes is
that some of them add further layers of implicit authentication. Those
devices, do not protect users from Session Riding and empower
attackers that may use Cross Site Scripting code for automating

SMS solutions on the other side, seem to be more secure, because may
be used to authenticate a single transaction (Transaction Based
Authentication), and to inform a user about what is going on. Too many
times happen that the SMS gateway is a software package installed on
the application server that is configured to log information locally.
During a real test, an authentication bypassing attept was performed
reading the local logfiles of the SMS gateway through a Path Traversal
vulnerability. Of course this is a Blended Threat scenario, but it
needs a specific test since is a common bad practice.

The previous are just some of the ideas.
If you would like to contribute for comments, suggestions,
improvements, opinions about the need of this section, or anything
else you are welcome.


More information about the Owasp-testing mailing list