The application's multi-factor authentication implementation contains flaws that allow attackers to bypass the second factor of authentication through manipulation of the authentication flow.
An attacker could gain unauthorized access to accounts protected by MFA, undermining the additional security layer and potentially compromising sensitive data and administrative functions.
Ensure MFA verification is enforced server-side at every step. Do not allow skipping MFA based on client-side parameters. Validate the complete authentication flow on the server. Implement MFA for all sensitive operations, not just login.