Background. Multifactor authentication (MFA) is a widely used service in today's world, specifically one-time passwords (OTP), a short, often counter and/or time-based password the user enters as a secondary protection against attackers. These passwords are usually created from a seed stored on a server and the user's phone. The website sends the password to the server, which compares it to what it has stored and either rejects or declines it. Although many attacks have been theorized against this type of multi-factor authentication, not many are shown.

Objectives. This thesis intends to study the vulnerabilities of multiple areas of mobile-based OTP authentication systems and highlight the potential risks these threats pose.

Methods. In this thesis, we deployed an experimental approach which includes a 5-step model to investigate, find, and exploit vulnerabilities. The exploits are largely based on the vulnerabilities we found in an open-source OTP authentication infrastructure. We also employed a risk assessment method to evaluate the risks of the found exploits.

Results. The results show that the MFA infrastructure contains vulnerabilities in different system areas. Some vulnerabilities pose a larger threat, while others affect users more than organizations. The results include a vulnerability threat level and prioritization based on their impact on the user and infrastructure.

Conclusions. We conclude that there are four large known attack vectors in an OTP infrastructure that attackers can exploit to bypass authentication. We have shown a few ways to get past the authentication for a particular scenario. In contrast, the attacker has to use different methodologies to exploit the system, which varies depending on what part of the system is attacked. The study shows how different vectors are individually affected and what an attacker gains from those attacks. The study also goes the extra mile to suggest possible mitigation strategies for the types of attacks that have been identified in this study.