Website MFA Bypass Vulnerability

Learn about a MFA bypass vulnerability on's website.

Founder of GRC Academy | CISSP-ISSEP, CCP @ GRC Academy | January 3, 2023 · 4 min read

Someone signing into the website.
Someone signing into the website.

Bottom Line Up Front

I was trying to log into my account, and completely bypassed the MFA I had in place – by accident.

For this vulnerability to be exploited, the following must have been in place:

  • The attacker already compromised the user’s password
  • The user hadn’t set up SMS (text messaging) as a MFA method

The attacker could compromise the user’s (ISC)2 account by entering the user’s credentials, registering a phone number during the login flow, and then using the text messaged code.

The video below discusses and demonstrates the issue.

Video demonstrating the MFA bypass


I was logging into the site to vote on their recent controversial bylaws amendment proposal when I accidentally discovered the MFA bypass. (ISC)2 is the organization behind the very popular CISSP certification, which is a highly regarded cybersecurity certification.

I had registered an authenticator app to use as MFA, but hadn’t registered text messaging as a method because… Well, text messaging isn’t secure (ie SIM swapping).

The site let me “Try something else” and REGISTER a NEW phone number – I was in! I just bypassed my own enrolled MFA method!


I haven’t been able to confirm this, but it appears this issue was caused by a SSO upgrade that ISC2 made on their website on 7/27/2022.

I reported the issue to them on Tuesday, 10/25/2022, and they called me on Friday, 10/28/2022, to ensure they understood my report. It appeared that they resolved the issue in mid-November, but I finally received confirmation that the issue was resolved on 12/13/2022. I did ask for the exact date that they resolved the issue for my report, but (ISC)2 said they wouldn’t release any further information.

The Details

In case you missed it, here is the video demonstration of this issue.

Here is the configuration of my MFA methods prior to the MFA bypass. Note that I only have “Google Authenticator” enabled.

Enabled MFA methods prior to MFA bypass

Here I am at the (ISC)2 login screen.

(ISC)2 login screen

After entering my username and password, the system prompted me for me a code from the authenticator app. I didn’t have access to the code, so I clicked on “Try Another Method.”

(ISC)2 login screen MFA Prompt

I didn’t remember the methods I had set up, so I tried “SMS Authentication” (which actually wasn’t enabled at this time).

(ISC)2 login screen – “Try another method”

Here is the problem. The site allowed me to register a NEW phone number, and enable the SMS MFA method during the login flow. ANY phone number could be used.

Registering a NEW phone number during the login flow

Here is the text message I received with the code.

The SMS code I received after registering the new phone number

Entering the code I received in the text message.

Entering the code I just received

…And I’m logged in. I just bypassed my own MFA!

Logged in after bypassing the MFA method I had configured

The system did generate an alert indicating that a new MFA method had been activated.

Email alert notifying me that SMS MFA method was activated

Here are the MFA options after enabling “SMS authentication” during the login flow.

Enabled MFA methods after the MFA bypass


1. Strong passwords still matter.

As long as we have deal to passwords, they remain an important defense layer. Even with the recent compromise of LastPass, the recommendation to use a password manager still stands:

  • Use a very strong master password
  • Generate very strong and unique passwords for each account

2. MFA isn’t a cure-all.

Unfortunately, this isn’t the first time we’ve seen improper MFA configurations on websites. We’ve also seen MFA defeated in different ways such as compromising MFA tokens.

Don’t neglect the importance of strong passwords.

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!