SSO Exploits: Okta SSO + TOTP

An adversary sets up a phishing proxy server that looks and behaves exactly like an SSO login page. This proxy will capture all information coming in and out of the server.

A victim is phished into visiting the malicious site and enters their username and password, and successfully completes the TOTP prompt.

Because the victim authenticated through the phishing proxy, the adversary steals the username, password, and also the session cookie for the application that was authenticated into. The adversary can use the stolen credentials to perform malicious actions such as an account takeover, data theft, or further lateral movement within the network.

If a victim is lured into visiting a phishing site, then TOTP as a second factor won't offer any defense. The login request is accepted by the real authentication server from the adversary's phishing server, and the login experience is the exact same for the end user.

Neither the victim nor the system administrator is notified as stolen, but legitimate, credentials are used to access the system.

Use phish-resistant MFA with origin validation. The authentication server should accept requests coming only from legitimate domains, and not malicious domains. Even if a user falls for phishing, your authentication service should prevent any unsafe access.

Also, consider removing TOTP from your authentication protocol as it is known to be phishable login factor.

Check out how Beyond Identity's phish-resistant MFA prevents this exploit from happening.