I found a way to bypass two factor authentication on login.gov which contains critical informations in it. This vulnerability occurs because of the misconfigurated token. The account creating process of login.gov is very interesting. You need to confirm your email first, instead of last. I realised that this might cause some security problems. And it…