Brute-Forcing MFA Tokens

Submitted by jabrown on Thu, 06/14/2018 - 01:14


To add an additional layer of protection from unauthorized access to systems, multi-factor authentication (MFA) techniques are used. As the use of MFA increases, what are the effective techniques to defeat this protection? Brute forcing techniques were used in this experiment to test whether randomly generated tokens or sequentially generated tokens can be used to defeat MFA tokens. The results of the testing show that as brute forcing a six-digit MFA token within a thirty-second window is not a practical technique.



MFA: Multi-Factor Authentication

HRNG: Hardware Random Number Generator

PRNG: Pseudo-Random Number Generator

TOTP: Time-based One Time Password



As multi-factor authentication is becoming more popular. Especially the six-digit TOTP token type of MFA. Is it possible to brute force the token with random numbers? Using the birthday attack as inspiration, is there a way to brute force six digit TOTP tokens?



Is multi-factor authentication based on six-digit soft tokens vulnerable to brute force attacks?

Does the use of randomly generated numbers perform better than sequentially generated numbers when conducting a brute force attack?



Performed two tests for both randomly generated and sequentially generated numbers.

Test one was to identify the susceptibility of brute forcing a randomly generated six-digit token. This test used a server running on a Raspberry Pi 3 with the Hardware Random Number Generator enabled to generate a random six digit number every one and a half seconds. A client then uses this six-digit number to test against the randomly and sequentially generated numbers from the client’s Pseudo-Random Number Generator. The test was repeated to obtain one thousand results.

Test two was to test the practicality of a brute force attack against a network service that utilizes MFA as part of the authentication process. The service was configured without multiple failed attempt protection. The victim network service was OpenSSH with Google Authenticator as the second factor running on Arch Linux. The TOTP token was generated every thirty seconds. The attacker was a Python 3 script using the Pexpect module running on Arch Linux. The attempts occurred as fast as the connections allowed in a twenty-four hour period.




rand vs seq

Figure 1: Sequential versus Random Generated Numbers



The results from test one show that brute forcing with sequentially generated numbers does perform better than brute forcing with randomly generated numbers approximately sixty percent of the time.

The results of test two show that neither brute forcing techniques where practical and only a few thousand attempts were completed in the twenty-four hour period.



It was found that to successfully brute force a six-digit MFA token, the attacker would need to make thousands of attempts in within the token generation window. If authentication is configured to limit the number of failed attempts, this attack is then severely mitigated.


Future Work:

Any further work would be to make thousands of attempts within the TOTP token generation window against a service without any failed attempt protections.



Based on the current data, it can be said that brute forcing six digit TOTP MFA tokens is technically possible but is not practical.

In a controlled testing environment only against randomly generated six-digit tokens, brute forcing with sequentially generated numbers is more successful than randomly generated numbers.

Is six digit MFA tokens vulnerable to brute forcing? Yes, in a controlled test environment.

Does brute forcing with randomly generated numbers perform better than with sequentially generated numbers? No, sequentially generated numbers perform better in a controlled testing environment.



Birthday Attack