A simple bypass made Box's multi-factor authentication redundant

A simple bypass made Box'south multi-factor authentication redundant

(Image credit: Avast)

Cybersecurity researchers have helped fix an issue with Box that could have been exploited to bypass multi-factor authentication (MFA) for accounts that relied on authenticator apps such as Google Authenticator.

The pop deject storage company was alerted by researchers at Varonis subsequently they found a relatively simple workaround to use stolen credentials to log into a Box account without providing a time-based ane-time password (TOTP).

According to the researchers, Box allowed users access to some areas of the account after verifying their login credentials, merely earlier inbound the TOTP. They demonstrated a machinery that allowed them to unenroll a user from MFA after providing a username and countersign but before providing the second factor.

"MFA is a stride towards a safer net and more resilient authentication for the SaaS [Software-as-a-Service] apps nosotros rely on, only MFA isn't perfect. There has been a massive button towards TOTP-based MFA, but if there are any flaws in its implementation, information technology tin be bypassed," point out the researchers.

Improper implementation

In improver to demonstrating the workflow for bypassing TOTP to log into a compromised account, the researchers also took the opportunity to make a few suggestions for businesses looking to introduce MFA.

For one, Varonis suggests that, in addition to requiring MFA, businesses must also apply single sign-on (SSO) wherever possible. They also ask businesses to enforce strong countersign policies, avoid using questions with piece of cake-to-notice answers as part of their authentication flows, and continue their optics peeled for breached passwords from their domain on sites similar HaveIBeenPwnd.

"The above example is only one featherbed technique for ane SaaS platform. Many more than exist—some of which we'll publish before long," conclude the researchers.

Meanwhile, if you are concerned about information security, take a look at these best secure USB drives, and use these best security keys to add another layer to safeguard your accounts

With most two decades of writing and reporting on Linux, Mayank Sharma would like anybody to remember he'south TechRadar Pro'southward expert on the topic. Of class, he'due south but as interested in other computing topics, specially cybersecurity, deject, containers, and coding.