Current best practices for security include Two-Factor Authentication (2FA) for protecting sensitive accounts. For both business and personal accounts, the additional protection of requiring a code delivered via phone or email provides an extra layer of defence against cybercriminals.
2FA also includes other forms of authentication such as biometrics and physical tokens, for example. While this extra defence feature remains essential, cybercriminals gangs find ways to circumnavigate 2FA requirements. Understanding how hackers bypass Two-Factor Authentication can better protect your business-critical and personal assets from attack.
- What Is Two-Factor Authentication?
- How Two-Factor Authentication Protects You
- 6 Methods to Bypass Two-Factor Authentication
- How To Better Secure 2FA
What Is Two-Factor Authentication?
2FA is a second layer of authentication used in addition to the user’s username/password combination when logging into an account. This extra layer of protection can be a code sent through a text message, authenticator application, or facial/fingerprint recognition.
When higher levels of security are needed, two-factor authentication becomes a subset of multi-factor authentication. Multi-factor authentication requires the user to identify themselves using more than one form of authentication.
How Two-Factor Authentication Protects You
There are various types of 2FA. Some applications let you choose which type of verification you prefer, while others employ only one type of verification beyond your password.
This authentication method requires the user to provide their phone number when first setting up the account. When the user logs on, they must enter a verification code into their web browser or app (usually six digits long) that arrives via text message.
Because most people have an SMS-capable mobile phone, this verification method is popular. It’s incredibly convenient as the user doesn’t need to install an app on their phone.
Problems only arise when the user loses their phone signal or has an issue with their sim card or phone. Recently, hackers have gained the ability to take over phone numbers by paying a company to reroute text messages. While this type of cyberattack is less common than others, it does present a threat to SMS 2FA.
2FA via A Voice Call
The phone call method is similar to SMS 2FA, except the user receives a phone call with the verification code provided via a computer voice rather than a text.
2FA via Email
2FA via email functions the same way as 2FA via phone call or SMS; the user receives an email with a verification code or One-Time Password (OTP). Often, the user gets a unique link in the email rather than a passcode that grants access to the account.
This method requires an internet connection to receive the verification email. One drawback to receiving a verification email is that it often goes to the user’s spam folder. Also, if a cybercriminal launches a successful attack, they have access to your email accounts, and subsequently, the account that’s protected by this form of 2FA as well.
2FA via Authenticator App TOTP
A Time-based One-Time Password (TOTP) is a form of verification that requires the user to download an app like Microsoft Authenticator, Google Authenticator, Authy, or Salesforce Authenticator.
When the user logs into the online application from a new or unknown device, they are prompted to open the authenticator app on their mobile phone (or on the computer if they are using Authy).
The authenticator app generates an OTP, usually six to eight digits long, and refreshes every 30 seconds. After entering this code into the online account, the user has access.
One advantage of authenticator apps is that they are easy to implement and use. The user immediately receives the verification passcode and does not need to wait for an email or SMS. One drawback, however, is that anyone who can access the user’s mobile phone or computer can compromise the account.
2FA via Key Fob Hardware
The key fob is one of the oldest 2FA delivery vehicles. It uses hardware tokens, usually a key fob, which produces a code every 30/60 seconds. Some types of fob plug into a computer. When users access their account, they enter the 2FA verification code displayed on the device into the application or account.
The key fob method is easy to implement and does not require an internet connection. Because it is a hardware token, it is one of the most secure 2FA methods. However, it can be expensive for a business to issue and maintain one for every user, and it is also easy for a user to misplace the physical device.
6 Methods to Bypass Two-Factor Authentication
While each 2FA method provides additional security, each also comes with vulnerabilities. The following methods are how hackers bypass Two-Factor Authentication.
1. Bypassing 2FA with Social Engineering
Social engineering is a non-technical attack by which the attacker tricks the victim to provide critical passcode information unknowingly. In these cases, the attacker has already obtained the user’s username and password. The attacker calls or sends a message to the victim with a compelling narrative, urging the user to hand over the 2FA code.
In other cases, the attacker knows enough basic information about the user to call customer service and pose as the user. They will say they have been locked out of their account or are having issues with the authenticator app. If they are convincing enough, they will obtain what they need from the customer service agent.
2. Bypassing 2FA with Open Authorization (OAuth)
OAuth is a framework that provides applications with limited access to a user’s data without giving away the password. For example, you can give an application permission to post on your Facebook account. In doing so, you are delegating a degree of access to your account using OAuth, but you aren’t providing your password to Facebook.
In this case, any website that allows you to delegate access via OAuth can also be used by an attacker as part of an OAuth phishing campaign or consent phishing. With consent phishing, the attacker pretends to be a legitimate Oath app and messages the victim, asking them to grant access.
If the victim grants access, the attacker can do as they please within the scope of access they requested. Consent phishing allows the attacker to disregard credentials and bypass any 2FA that may be in place.
3. Bypassing 2FA with Brute Force
Attackers sometimes opt for a brute force approach depending on the age of the equipment being used by the target. For example, some legacy keyfobs are only four digits long and thus easier to crack (longer OTP codes increase the difficulty because there are more permutations to decipher).
The obstacle for hackers is that OTPs are only valid for a short time, usually just a few seconds to minutes. So, there are a limited number of codes to try before it changes. When 2FA is implemented correctly, the 2FA authentication server prevents this type of attack by only allowing a small number of incorrect OTP codes per user.
4. Bypassing 2FA with Earlier-generated Tokens
Some platforms enable users to generate tokens in advance, sometimes providing a document with a certain number of codes that can be used in the future to bypass 2FA should the service fail. If an attacker obtains the user password and gains access to that document, they can bypass 2FA.
5. Bypassing 2FA with Session Cookie or Man-in-the-middle
Cookie stealing, otherwise known as session hijacking, is stealing the user’s session cookie. When users log into a site, they do not need their password every time.
A cookie contains the user’s information, keeps the user authenticated, and tracks their session activity. The session cookie stays in the browser until the user logs out, and closing the window doesn’t log the user out.
So, an attacker can use the cookie to his advantage. Once the hacker acquires the session cookie, he can bypass the two-factor authentication. Attackers know many hijacking methods, like session sniffing, session fixation, cross-site scripting, and malware attacks.
Also, Evilginx is a popular framework that hackers use for man-in-the-middle attacks. With Evilginx, the attacker sends a phishing link to the user, which takes the user to a proxy login page. When the user logs into his account using 2FA, Evilginx captures his login credentials and the authentication code.
Because the OTP expires after using it and is only valid for a short time, there’s no need to capture the authentication code. Instead, the hacker has the user’s session cookies, which he uses to log in and bypass the two-factor authentication.
6. Bypassing 2FA with SIM-Jacking
SIM-jacking occurs when an attacker takes control of someone’s phone number by tricking a mobile phone carrier into transferring the number to their phone.
Control over the phone number means the hacker can intercept the OTP sent via SMS. The attacker accomplishes this by phishing or social engineering. Either way, they trick the victim into installing malware that collects the needed information on the SIM card.
How To Better Secure 2FA
Despite the vulnerabilities exposed by hackers, 2FA is still the recommended way to secure your accounts. Here are some tips for using this feature effectively:
- Always use authenticator apps like Microsoft or Google Authenticator instead of text message codes.
- Never share your security codes.
- Whenever possible, use longer codes with more than six characters.
- If you are unsure about your security, double-check with a professional about what you should do.
- Use complex passwords from a password generator and a password manager.
- Never reuse passwords.
- Use a security key as an alternative form of 2FA authentication.
- Educate yourself and your staff regarding common social engineering tactics.
Your organisation should consider taking advice from a third-party security consultancy, such as Securus Communications, to ensure you use more robust security protocols.
We offer security packages that protect your company from the types of 2FA attacks described in this article, including social engineering, phishing, OAuth attacks, and cookie stealing. They typically employ a combination of spam filters, threat intelligence, and other technologies to stay ahead of threats.
Despite the vulnerabilities, 2FA remains one of the best ways to protect accounts. To ensure that your 2FA parameters are fully optimised, be sure to apply the best practices listed here.
Apps like Google and Microsoft authenticator are widely available to support your security efforts, and your security administrator should have tools and procedures in place as well.
From anti-malware, anti-phishing, 2FA, and SASE to cloud-based air-gap immutable backup storage, Securus has a security solution to suit your requirement and budget. If you would like to discuss your network security requirements in more detail with one of our cyber security professionals, please don’t hesitate to get in touch.