Issue:
- A user signs up for an application account with email and password. They enable 2FA on said account.
- The user logs out and logs back in and they are correctly challenged for their 2FA code.
- The same user then links their OAuth account to their application account.
- The user logs into their account via their OAuth account and the application does not challenge for the previously enabled 2FA implementation using username/password.
VRT Category Suggestion:
P5: Insufficient Security Configurability -> Weak 2FA Implementation -> 2FA Not Required on OAuth Authentication
Justification:
It would be considered as best practise rather than an exploitable vulnerability that if a user has previously set up 2FA on a username/password authentication mechanism, and then links an OAuth account of which when authenticating using the OAuth account does not challenge for the previous 2FA implementation. This is due to the authentication process being handled within the OAuth implementation and would require prior compromise of a victims OAuth account.
Issue:
VRT Category Suggestion:
P5: Insufficient Security Configurability -> Weak 2FA Implementation -> 2FA Not Required on OAuth Authentication
Justification:
It would be considered as best practise rather than an exploitable vulnerability that if a user has previously set up 2FA on a username/password authentication mechanism, and then links an OAuth account of which when authenticating using the OAuth account does not challenge for the previous 2FA implementation. This is due to the authentication process being handled within the OAuth implementation and would require prior compromise of a victims OAuth account.