September 1, 2020
Abstract Nowadays mobile phones are widely used to enforce multi-factor authentication (MFA) either by receiving a code through SMS or, even better, using a dedicated application as an authenticator. Those applications have to be correctly secured because the final step of authentication will rely on them.
During a penetration engagement, our client was using the HID ActivID Mobile Soft Token in order to enable 2FA on their VPN servers. With the agreement of the client, we performed a security review of the ActivID Soft Token on both Android and iOS platforms.