A simple bypass made Box’s multi-factor authentication redundant

Box has now patched the vulnerability

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityresearchers have helped fix an issue withBoxthat could have been exploited to bypass multi-factor authentication (MFA) for accounts that relied on authenticator apps such asGoogleAuthenticator.

The popularcloud storagecompany was alerted by researchers at Varonis after they found a relatively simple workaround to use stolen credentials to log into a Box account without providing a time-based one-timepassword(TOTP).

According to the researchers, Box allowed users access to some areas of the account after verifying their login credentials, but before entering the TOTP. They demonstrated a mechanism that allowed them to unenroll a user from MFA after providing a username and password but before providing the second factor.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

“MFA is a step towards a safer internet and more resilient authentication for theSaaS[Software-as-a-Service] apps we rely on, but MFA isn’t perfect. There has been a massive push towards TOTP-based MFA, but if there are any flaws in its implementation, it can be bypassed,”point outthe researchers.

Improper implementation

In addition to demonstrating the workflow for bypassing TOTP to log into a compromised account, the researchers also took the opportunity to make a few suggestions for businesses looking to introduce MFA.

For one, Varonis suggests that, in addition to requiring MFA, businesses must also use single sign-on (SSO) wherever possible. They also ask businesses to enforce strong password policies, avoid using questions with easy-to-find answers as part of their authentication flows, and keep their eyes peeled for breached passwords from their domain on sites likeHaveIBeenPwnd.

“The above example is simply one bypass technique for one SaaS platform. Many more exist—some of which we’ll publish soon,” conclude the researchers.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Arcane season 2 act 1 ending explained: who is [SPOILER], when is episode 4 coming out, and your biggest questions answered