Throughout June 2026, incident responders have documented a pattern of attackers bypassing two-factor authentication systems through brute-force attacks against one-time password (OTP) generation endpoints. In at least one documented case, attackers gained administrative access to customer accounts at a SaaS provider by exhausting the search space of time-based OTP values faster than rate-limiting mechanisms could stop them. The affected company discovered the compromise only after detecting unauthorized data downloads associated with breached accounts.
The attack is straightforward. If a 2FA system uses a six-digit TOTP (time-based one-time password) generated every 30 seconds, the effective search space is 1 million combinations. An attacker with rapid-fire API access and no rate-limiting—or rate-limiting that resets per IP—can test the full space in minutes. Once a valid code is obtained, the attacker completes the login and is inside. The compromise is silent; the attacker is indistinguishable from the legitimate user once authenticated.
The root cause is almost always rate-limiting failure. Either the organization implementing 2FA did not apply aggressive request throttling to the OTP verification endpoint, did not lock accounts after repeated failed attempts, or did not restrict the number of verification attempts per code window. Some implementations allow users to request a new code within the same 30-second window, creating a freshly valid target and extending the attack surface. Others do not distinguish between legitimate retries and systematic brute-forcing.
The countermeasures are documented and well-understood: strict per-account rate-limiting on verification attempts (three failures per code window, lock on fourth), per-IP rate-limiting on endpoint access, exponential backoff after repeated failures, and alerts triggered on abnormal verification activity. The fact that these attacks succeed means the rate-limiting exists on paper, not in production. Organizations deploying 2FA should audit their OTP endpoint for these controls immediately. If you cannot tell whether an attacker is making a legitimate retry or running a systematic attack against your authentication system, you have no 2FA defense. The factor is only as strong as the rate-limiting that protects it.
Leave a Reply