Authors: Jessica Berrios, Elias Mosher, Sankofa Benzo, Cinthya Grajeda, Ibrahim Baggili



Many sectors such as banking, academia, health care, and others have made Two-Factor Authentication (2FA) mandatory for all their registered users. The growth in the usage of 2FA technology demonstrates the need to understand how 2FA applications operate, the kind of information they store about their users, and the implications, if any, that may arise if malicious actors exploit them. Our work focuses on the forensic analysis of 15 2FA applications used by millions of people. Our analysis includes popular applications such as FreeOTP, Google Authenticator, Microsoft Authenticator, Twilio Authy, and more. The applications were tested on different operating systems (Android, iOS and Windows 10) and used with applications such as Facebook, Twitter and Instagram. Our methodology focused on not just forensically analyzing the devices’ storage, but also the network traffic of all devices and the memory of the Windows machine. Results revealed that the majority of analyzed applications store encrypted/encoded and plain text information, such as secret keys, timestamps, account names, e-mail addresses, the application locking pin, and more. Consequently, we believe that the critical discovery of secret keys allows for the 2FA functionally to be bypassed and it is demonstrated in this work. Our results revealed that 14 of 15 applications stored the name of the social media application/account information, and 14 of 15 applications stored either plain text, or encoded/encrypted secret keys. Finally, 2 of 15 applications stored a pin in plain text used to lock the application and/or encrypt all information on the disk.