2FA is key but is just one part of a robust security strategy

With cyberthreats continuing to rise and becoming increasingly more sophisticated, it’s vital for your business to have the appropriate cybersecurity protection measures in place.

Password protection alone is not sufficient, and two-factor authentication is one of the best cybersecurity controls organisations can implement to prevent breaches. However, while two-factor authentication is considered a more secure method of protecting accounts compared to using just a password, no security measure is entirely fool-proof and hackers can find ways to circumnavigate it.

What Is Two-Factor Authentication?

Two-factor authentication (2FA) is a security system that can be used to strengthen the security of an online account or mobile device. It requires two distinct forms of identification in order to access an account from the user, such as a password or PIN, a code sent to the user’s smartphone or facial/fingerprint recognition.

Adding a second step of authenticating users’ identities makes it more difficult for cybercriminals to access data, significantly reducing the likelihood of fraud, data loss and identify theft.

Types of 2FA Protection

2FA via SMS
SMS 2FA involves sending a short one-time password (usually six digits long) to the user via text message, which they need to enter into their web browser or app to prove their identity and gain access to their account.

SMS-based 2FA doesn’t require your phone to be online, an advantage over many other authentication methods that require an internet connection. This verification method is popular as most people have an SMS-enabled mobile device and it’s also convenient as the user doesn’t need to install an app.

However, SMS is regarded as a vulnerable 2FA communications protocol by security experts due to the possibility of SIM swapping attacks. Twitter made headlines recently when the company announced it would no longer allow non-Twitter Blue users to enrol in SMS-based two-factor authentication, citing security concerns that SMS 2FA had been “used and abused by bad actors”. The company’s owner, Elon Musk, claimed this abuse cost Twitter about US$60m a year.

2FA via Voice Call
The phone call method is similar to SMS 2FA, except the user receives a phone call with the verification code provided via a computer voice message rather than a text message. It allows users to log in to an account who are not reachable by SMS.

2FA via Email
2FA via email means the user receives an email with a verification code or One-Time Password (OTP), as long as they have an internet connection. Often, the user gets a unique link in the email rather than a passcode that grants access to the account. One disadvantage to receiving a verification email is that it can go to the user’s spam folder.

2FA via Authenticator App
TOTP stands for ‘Time-based One-Time Passwords’ and is a popular form of two factor authentication because it’s easy to implement and use.

It requires the user to download an app like Microsoft Authenticator, Google Authenticator, Authy or Salesforce Authenticator. Unique numeric passwords are generated with a standardised algorithm that uses the current time as an input.

When the user logs into the online application from a new or unknown device, they are prompted to open the authenticator app on their device. The authenticator app generates an OTP, usually six to eight digits long, and refreshes every 30 seconds. After entering this code into the online account, the user is verified and is granted access.

One disadvantage is that anyone who can access the user’s mobile device or computer can also compromise the account.

2FA via Key Fob Hardware
Key fob hardware (also called security keys, U2F keys or physical security keys) is one of the oldest 2FA methods and adds an extra layer of security to online accounts. Yubikey by Yubico or Google Titan are small devices that connect to your computer, either via the USB port or wireless connectivity, to generate a one-time passcode that can be used to log in to the service.

Physical keys are considered highly secure because they must be in your possession, and cannot be easily bypassed should a cybercriminal have compromised your credentials. The hardware tokens are also easy to implement and don’t require an internet connection.

However, it can be expensive for a business to issue and maintain one for every user, and the physical device can also be lost or stolen.

 

Various Ways Hackers Bypass Two-Factor Authentication

Understanding how hackers bypass 2FA typically involves sophisticated methods such as SIM swapping, phishing attacks or exploiting vulnerabilities in the implementation of 2FA itself. They often target specific individuals or organisations rather than being widespread attacks.

1. Social Engineering

What is known as ‘social engineering’ is a non-technical attack in which hackers take advantage of human behaviour to persuade a user to do something, such as click on a link. The cybercriminal will have already obtained the user’s username and password, then tricks the victim to unknowingly provide critical passcode information and reveal the 2FA code.

 

In other cases, the attacker knows enough basic information about the user to call customer service and pose as the user. They will say they have been locked out of their account or are having issues with the authenticator app. If they are convincing enough, they will obtain what they need from the customer service agent.

2. SIM Swapping

SIM swapping, also known as SIM splitting, SIM jacking or SIM hijacking, is a technique used by hackers to get control of your phone number.  Despite what the name suggests, SIM swapping does not involve you taking your phone’s SIM card out and putting it in a criminal’s device. Instead, what usually happens is the attacker will call your mobile network provider and pretend to be you. Then, they try to get your number added onto their SIM card. 

Control over the phone number means the hacker can intercept the OTP sent via text message, taking advantage of two-factor authentication to gain access to your bank accounts, social media accounts and other personal accounts.

Some countries, like Australia, have introduced rules requiring telecoms companies to properly verify who someone is before allowing them to port a mobile number to a new provider.

3. Open Authorisation (OAuth)

Open Authorisation, also known as OAuth, is widely used for granting third-party applications limited access to a user’s resources on a service provider’s platform, without sharing the user’s credentials or password.

For example, you can give an app permission to post on your Facebook account, thereby granting access to your account using OAuth, but not providing your password to Facebook.

Any website that allows you to delegate access via OAuth can also be used by an attacker as part of an OAuth phishing campaign or consent phishing, where the attacker pretends to be a legitimate OAuth app. If the victim grants access, the attacker can do as they please within the scope of access they requested.

4. Logging Into Phishing Websites

Phishing is one of the oldest internet threats. Often, phishing websites will look similar, if not identical, to the site you’re trying to visit. If you use them and submit personal information, such as your banking details, it is known as ‘consent phishing’, allowing the hacker to disregard credentials and bypass any 2FA that may be in place.

Although phishing websites are more difficult to spot, you can look for a few subtle signs to protect yourself, such as spelling errors, or the URL is slightly different (for example: a .co domain, when the official one is .com).

5. Phishing Emails

A skilfully composed phishing email is all it takes to gain information from vulnerable users, and 2FA is not immune to this threat. Malicious software installed on vulnerable devices can capture passwords and information that allow it to bypass the authentication steps. For example, when online users rely on security questions as the “next step” after entering a password, phishers can send an email requesting a user to verify their security questions. In the process, the phishers can take these questions and use them for themselves.

 

6. Brute Force

Attackers sometimes opt for a brute force approach depending on the age of the equipment being used by the target. For example, some legacy key fobs are only four digits long and therefore easier to crack (longer OTP codes increase the difficulty because there are more permutations to decipher).

The obstacle for hackers is that OTPs are only valid for a short time, usually between 30 and 60 seconds, so there are a limited number of codes to try before it changes. When 2FA is implemented correctly, the 2FA authentication server prevents this type of attack by only allowing a small number of incorrect OTP codes per user.

7. Cookie Stealing/Session Hijacking

Cookie stealing, otherwise known as session hijacking, is stealing the user’s session cookie. When users log into a site, they do not need their password every time.

A cookie contains the user’s information, keeps the user authenticated and tracks their session activity. The session cookie stays in the browser until the user logs out; closing the window doesn’t log the user out, allowing a hacker to use the cookie to his advantage. Once the hacker acquires the session cookie, he can bypass the two-factor authentication.

8. Man-in-the-Middle

Whenever you share information online, you’re never 100% secure, even if you use 2FA. Many hackers use Man-in-the Middle (MITM) attacks to steal your information after you’ve shared it. A MITM attack involves the criminal getting into the path of your data transfer and pretending that they’re both parties. One particular problem with this tactic is that often, you won’t know what’s going on.

Fortunately, you can protect yourself against MITM attacks in several ways. Using a secure Virtual Private Network (VPN) will help encrypt your information, meaning a would-be hacker is wasting their time trying to get a hold of it.

You can also protect yourself against a MITM attack by not using public Wi-Fi. Many networks aren’t secure, and gathering your information is much easier for a criminal. Instead, only use secure wireless networks, such as your home or office Wi-Fi.

9. Losing your credentials

Even if you use 2FA, you could still lose your credentials. For example, you might need to update your number after buying a new phone. If you don’t update your 2FA details as soon as you lose access, you risk having someone else enter your account. Always ensure that your phone number and email address is updated.

10. Account Recovery

Account recovery bypasses the 2FA system, which provides hackers with a simple loop-hole. When you want to reset your password, you are usually sent a temporary password via email. When this happens, cybercriminals can gain access to your account by swiping this temporary passcode before you do.

 

How To Effectively Secure Two-Factor Authentication

While it is essential to recognise that no security measure is perfect, enabling 2FA remains an effective step in bolstering your account security and provides an extra layer of defence against cybercriminals.

 

Here are some tips to consider:

• Always use authenticator apps like Google Authenticator or Authy instead of SMS-based codes. These apps generate TOTP offline, reducing the risk of interception.
• Whenever possible, use longer codes with more than six characters.
• Use complex passwords from a password generator and a password manager.
• Never reuse passwords and never share your security codes with anyone else.
• Regularly update software and 2FA apps to ensure you have the latest security patches and features.
• Use a security key as an alternative form of 2FA authentication. Instead of sending a code to your phone, security keys contain a hardware chip, and use Bluetooth or USB to be the additional factor needed to log into your account. The security key stores its own password and requires the site to prove it’s legitimate before releasing the password and getting you signed in.
• Save and securely store backup codes provided by services when setting up 2FA. These codes can be used to access your account if you lose your device or are unable to use the usual 2FA methods.
• If you find yourself on a phishing website, leave the page as soon as you notice. You can mitigate your risk before browsing by checking if a website is safe to use.
• If you’ve lost your device, you must take steps to limit the damage. Call your network provider to cancel your SIM, and do the same with any bank cards that could be stored on your phone.
• Educate yourself and your staff regarding common social engineering tactics.

In summary

It’s important to follow best practices by always implementing two-factor authentication, but it’s also vital to regularly update your software and stay vigilant against phishing attempts, to further enhance your overall security posture.

If you would like further advice from a third-party security consultancy, Securus offers solutions that help protect your company from the types of 2FA attacks described in this article.

To find out more, call one of our cybersecurity experts today on 0345 128 3457.

Call us on 0345 128 3457 to find out more.