1

We have a feature in our application that ask for a six digit OTP before doing certain functions. It is sent via SMS and expiration is 5 mins. There has been an internal penetration test that exposed that this is vulnerable to brute-force attacks. What can we do programmatically to prevent this?

tripleee
  • 175,061
  • 34
  • 275
  • 318
Hingle McJingleberry
  • 541
  • 4
  • 26
  • Shorten the time to like 30 secs, make the code longer 6 chars or so and use a strong algo to generate them. Implement code that locks users out after several failed attempts or at least add a captcha after some failed attempts. – Nick M Feb 11 '19 at 06:13
  • its already 6 digits – Hingle McJingleberry Mar 06 '19 at 05:20
  • i can think of 2 contending approaches: [1] let your OTP remain valid for entire (short) lifetime of txn like say ~ 10 minutes and build customer-level rate-limits in your OTP verification API (like max 5 verification attempts every 30 seconds) [2] invalidate OTP after ~ 10 failed verification attempts. i also like `@Nick M`'s idea of throwing a captcha after every 'n' failed verification attempts -> this would be incorporate the goodness of both the approaches told earlier – y2k-shubham May 10 '22 at 04:57
  • Irrespective of the approach taken above, for sensitive applications, make sure you consider safeguards against timing attack where attacker could send a barrage of concurrent requests to befool your counter / rate-limiting mechanisms. as they say [here](https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks) `"Note that although adding a delay could slow a single-threaded attack, it is less effective if the attacker sends multiple simultaneous authentication requests"` – y2k-shubham May 10 '22 at 04:58

1 Answers1

0
  • Use a long text for OPT like 6-10 chars long. Which will provide a lot of combinations factorial(N). Which will be a very big number that no ordinary system can guess that OTP in 5 minutes.
  • Use not only numbers but also characters which can make your OTP more strong.
RK_15
  • 929
  • 5
  • 11