This chapter will cover hacking multifactor authentication solutions through or using the application programming interface. I'll review some previous terms and technology and introduce new ones so that you can understand what these terms mean in context when you read about MFA APIs.

Introduction

As covered earlier in Chapter 3, “Types of Authentication,” application programming interfaces (APIs) are created by developers of their underlying technologies or services to allow other developers and users to programmatically interface with their product. APIs allow other people and services to quickly interact with a product or service and to easily extend its functionality. APIs are a staple of the computer world, especially if you want your product to be widely adopted and used. If an API is created and the general public can access and use it, it's known as an open or public API.

As an example, the HaveIBeenPwned website (haveibeenpwned.com), which can tell you if a particular logon name and password has been part of a known breach, has an API (haveibeenpwned.com/API/v3) anyone can use. In fact, it's on its third version. HaveIBeenPwned's API allows a different account lookup every 1.5 seconds. If you tried to look up different accounts or passwords manually using the website, you'd probably be lucky to request a new one every 10–15 seconds. So, using the API is at least a 10× speed increase when doing multiple lookups. On top of that, what the website can look ...