15Buggy Software

This chapter will cover vulnerabilities in MFA solutions, discussing common types of software vulnerabilities, potential exploitation outcomes, real-world examples, and defenses.


There is no such thing as perfect, flawless computer programming, at least not yet—in the real world—even by the very programmers who tried their hardest to prove it was possible. Today, it's quite the opposite situation. Software, firmware, and chip vulnerabilities are everywhere. As Figure 4.1 showed in Chapter 4, “Usability vs. Security,” we had 12,174 publicly announced vulnerabilities in 2019. We had 16,556 the year before and 14,714 the year before that. So far humans have been pretty poor at making flawless code. Some argue that artificial intelligence (AI) will one day make flawless code, but I find it a specious argument at best. The AI that humans would need to code would be flawed like everything else we have ever done, and somehow I'm supposed to believe that the flawed AI code would magically be capable of making flawless code? I don't buy it.

As Figure 5.1 from Chapter 5, “Hacking MFA in General” showed, every MFA solution has a lot of components. We have to assume that every component and dependency in an authentication solution has one or more vulnerabilities and can be a potential attack vector. And there have been many hundreds to thousands of security vulnerabilities found on all sorts of authentication software. If you want to see if your favorite ...

Get Hacking Multifactor Authentication now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.