2. Two-factor authentication (2FA) misconfiguration
If you want to increase clients protection mechanisms in your application, you will focus on 2FA that will help you to verify users actions (transactions, password changes, etc), but the realization is not enough, proper configuration is much more important.
Make sure that you two-factor authentication mechanisms is configured properly:
- Don't allow change source for getting second-factor code (OTP)
- Limit OTP validation attempts
- OTP can't be reused in any other places and unique for every request
- Make sure that your OTP code is not predictable.