Deactivating 2FA is too easy

R

rugk

Active member
Let's take the following scenario: An attacker has gained access to the users password and one of these requirements:
  • he has access to the device where the user selected 'remember this device for 30 days' or
  • he can somehow bypass the login 2FA, because the user has selected 'remember this device for 30 days' on a device and he has stolen/intercepted the cookie or whatever is used for remembering this or
  • he is in front of the device where the user is just logged in

In this case he can easily deactivate the 2FA. The only thing he has to do is entering the users password. The problem is that there is no 2FA required before deactivating (or otherwise modifying) the 2FA.
The same also applies to the password change. An attacker there also just have to enter the old password (and not pass the 2FA) to change it.
 
2FA isn't designed to block the scenarios you're referring to. 2FA specifically covers gaining access only to the password (such as via phishing, reuse, compromise, etc). It blocks you from gaining access to the account, not from taking actions when you already have access to the account or a device. The change you're proposing would create many more situations where a user could not manipulate their 2FA settings legitimately (such as by losing the phone with the app on it).

I would also note that Google takes the identical approach.
 
AFAIK Google sends an email when the 2FA is deactivated.
This at least notifies the user that something has changed there.
 
I was curious; that is correct - they do send a notification email when 2FA is activated or deactivated. Other than that, the implementation is basically the same - there was no second factor needed when disabling 2FA.
 
rugk said:
Let's take the following scenario: An attacker has gained access to the users password and one of these requirements:
  • he has access to the device where the user selected 'remember this device for 30 days' or
  • he can somehow bypass the login 2FA, because the user has selected 'remember this device for 30 days' on a device and he has stolen/intercepted the cookie or whatever is used for remembering this or
  • he is in front of the device where the user is just logged in

In this case he can easily deactivate the 2FA. The only thing he has to do is entering the users password. The problem is that there is no 2FA required before deactivating (or otherwise modifying) the 2FA.
The same also applies to the password change. An attacker there also just have to enter the old password (and not pass the 2FA) to change it.
Click to expand...
It's two factor authentication. If you have both factors, you have access.
 
feldon30 said:
It's two factor authentication. If you have both factors, you have access.
Click to expand...
The issue in my explanation was that you only need to have one factor (password) and a kind of weakness, like a logged-in user.
The basic thing is that the old 2FA code is not required before entering a new one or disabling it. (if you image the same with a password you would also say this is bad)

Maybe that's a theoretical issue and maybe other companies make the same thing, but IMO it's something which is worth thinking about.
 
You must log in or register to reply here.

Similar threads

TimWilson
Identifying ACTUAL inactive accounts, and requiring 2FA
Replies
4
Views
421
woody
woody
Wildcat Media
  • Question Question
XF 1.5 Two-step verification--how is the 30 day expiration saved?
Replies
0
Views
649
Wildcat Media
Wildcat Media
F
  • Suggestion Suggestion
2FA: Remember device indefinitely
Replies
3
Views
2K
Lisa
Lisa
R
  • Suggestion Suggestion
Lack of interest 2FA: Separate 'device trusting' for forum and ACP login
Replies
1
Views
1K
Fred.
Fred.
R
  • Suggestion Suggestion
Lack of interest Disallow/Disable/Force specific kinds of two factor authentication
Replies
0
Views
1K
rugk
R
Back
Top Bottom