Deactivating 2FA is too easy

R

rugk

Active member
Let's take the following scenario: An attacker has gained access to the users password and one of these requirements:
  • he has access to the device where the user selected 'remember this device for 30 days' or
  • he can somehow bypass the login 2FA, because the user has selected 'remember this device for 30 days' on a device and he has stolen/intercepted the cookie or whatever is used for remembering this or
  • he is in front of the device where the user is just logged in

In this case he can easily deactivate the 2FA. The only thing he has to do is entering the users password. The problem is that there is no 2FA required before deactivating (or otherwise modifying) the 2FA.
The same also applies to the password change. An attacker there also just have to enter the old password (and not pass the 2FA) to change it.
 
2FA isn't designed to block the scenarios you're referring to. 2FA specifically covers gaining access only to the password (such as via phishing, reuse, compromise, etc). It blocks you from gaining access to the account, not from taking actions when you already have access to the account or a device. The change you're proposing would create many more situations where a user could not manipulate their 2FA settings legitimately (such as by losing the phone with the app on it).

I would also note that Google takes the identical approach.
 
AFAIK Google sends an email when the 2FA is deactivated.
This at least notifies the user that something has changed there.
 
I was curious; that is correct - they do send a notification email when 2FA is activated or deactivated. Other than that, the implementation is basically the same - there was no second factor needed when disabling 2FA.
 
rugk said:
Let's take the following scenario: An attacker has gained access to the users password and one of these requirements:
  • he has access to the device where the user selected 'remember this device for 30 days' or
  • he can somehow bypass the login 2FA, because the user has selected 'remember this device for 30 days' on a device and he has stolen/intercepted the cookie or whatever is used for remembering this or
  • he is in front of the device where the user is just logged in

In this case he can easily deactivate the 2FA. The only thing he has to do is entering the users password. The problem is that there is no 2FA required before deactivating (or otherwise modifying) the 2FA.
The same also applies to the password change. An attacker there also just have to enter the old password (and not pass the 2FA) to change it.
Click to expand...
It's two factor authentication. If you have both factors, you have access.
 
feldon30 said:
It's two factor authentication. If you have both factors, you have access.
Click to expand...
The issue in my explanation was that you only need to have one factor (password) and a kind of weakness, like a logged-in user.
The basic thing is that the old 2FA code is not required before entering a new one or disabling it. (if you image the same with a password you would also say this is bad)

Maybe that's a theoretical issue and maybe other companies make the same thing, but IMO it's something which is worth thinking about.
 
You must log in or register to reply here.

Similar threads

TimWilson
Identifying ACTUAL inactive accounts, and requiring 2FA
Replies
4
Views
390
woody
woody
K
  • Suggestion Suggestion
Require Two-Step verification to change Two-step verification options
Replies
2
Views
618
Wildcat Media
Wildcat Media
Ludachris
  • Question Question
XF 2.2 Question about the 2FA process in XF
Replies
1
Views
920
Kirby
K
Fullmental
  • Question Question
XF 2.2 How to require two-step authentication on every access of ACP?
Replies
2
Views
957
Fullmental
Fullmental
K
Not a bug TFA: Backup codes seem to be a security risk
Replies
3
Views
829
digitalpoint
digitalpoint
Top Bottom