« All posts

OIDC MFA Bypass: How One URL Parameter Skipped the Second Factor

An OIDC login flow let attackers skip MFA by editing a return URL; the fix moves enforcement from the login page to the token-issuing endpoint.

A team rolling out multi-factor authentication on an OIDC login flow found, during a pre-launch security review, that MFA could be skipped entirely by editing a URL. After submitting a password, the server set an authenticated cookie; instead of continuing to the MFA prompt, a user could jump straight to /connect/authorize, the endpoint that actually issues tokens. That endpoint only checked whether the session was authenticated, not whether it had cleared a second factor — so a password-only cookie and an MFA-verified cookie looked identical to it.

The fix reframes MFA from a UI step into a session property. Once the second factor is cleared, the login flow writes an mfa_authenticated marker into the cookie, and the token-issuing endpoint now requires that marker, not just an authenticated principal. A password-only session is bounced back to finish MFA regardless of which URL it targets. For federated sign-in, external identity providers that already enforce MFA set the same marker, so SSO users aren't challenged twice.

The broader lesson generalizes beyond MFA: enforce a control at the boundary that actually grants the protected resource, not at the interface step meant to lead there. Any check that only lives in the pages before that boundary is advisory, since an attacker can hit the underlying endpoint directly and skip the screen entirely.