Time-based two-factor authentication tokens, and plug-ins that use them, are only as good as your time signal, and in the right (wrong) circumstances, they can be brute-forced.
Security researcher Gabor Szathmari says the problem is that if your 2FA tokens depend on the network time protocol (NTP), it's too easy for a sysadmin to put together an attackable implementation.
As he explains in two posts here (the background) and here (proof of concept), if an attacker can trick NTP, they can mount a brute-force attack against the security tokens produced by Google Authenticator (the example in the POC) and a bunch of other Time-based One-time Password Algorithm-based (TOTP) 2FA mechanisms.
Under TOTP, a seed is combined with the time to produce the token, and as Szathmari points out, “the same combination of secret key and timestamp always generates the same 6-digit code.”
That's where NTP comes in. After the world realised the ntpd daemon was vulnerable, it got patched with validation algorithms so as not to accept bogus timestamps, Szathmari writes.
However, he says, a lot of sysadmins still use the deprecated ntpdate, which doesn't run validation.
(There also remain vectors by which ntpd could be attacked, he writes: for example, if an attacker can remotely crash and restart the daemon, in which case it can be convinced to accept a bogus time server; or by exploiting bugs like CVE-2015-5300.)
Time manipulation is what creates the attack vector, Szathmari says. A malicious time source can strand the victim's clocks in a time warp, making them retain the same six-digit token long enough to step through the million possible combinations, and brute-force the 2FA.
His proof-of-concept code, Szathmari says, was able to get a valid token in 39 minutes.
If you have ntpdate, now's a good time to kill it and replace it with an up-to-the-minute ntpd. ®