Multi Factor Authentication
General things to look for:
- Forceful Browsing
- Changing parameters
- Changing body content
- Are thing predictable?
- Backup codes present?
- Same code, multiple accounts?
- Can we trigger an error/weird behavior
- Can you skip steps in the MFA flow?