Brute Forcing TOTP Multi-Factor Authentication is Surprisingly Realistic

Created: 2022-09-17T09:14:58-05:00

Return to the Index

This card pertains to a resource available on the internet.

Action item: have rate limits and trigger lockouts, secondary authentication or wake up the blue team when too many failed logins occur.

Brute force attack only has to guess one of the valid PIN numbers at a given try. The chance of hitting the right number does not decrease with each attempt.

If no lock-out system is in place then a six digit PIN can be broken within around twenty hours.