Hello! Advanced account security practices include two-factor authentication (2FA). It is used everywhere for both corporate and personal user accounts around the world. In the classical sense, this authentication method involves delivering a special code to the phone or email address, which must be entered after entering the password from the account. However, there are other forms of 2FA that we will discuss in this article.
Two-factor authentication provides an additional layer of protection for your account from cybercriminals, but if you really want to, attackers will still find a way to bypass it. It is understanding how hackers usually circumvent 2FA that will allow you to avoid falling for their possible tricks and protect your account.
What is two-factor authentication?
2FA is the second level of authentication, which is used in addition to the classic user name and password combination when logging in to an account. Two-factor authentication can be configured for completely different ways of confirming account ownership. It all depends on the specific needs of the system itself or user preferences.
Sometimes a certain account requires the highest level of protection. Then the so-called "multi-factor authentication" (MFA), which includes several verification factors, comes to the rescue. For example, password + physical token + biometrics. This method of protecting your account is much more reliable than classic two-factor authentication.
What types of two-factor authentication exist?
Some services and applications allow you to choose which type of verification to use in addition to the password, and some do not. Let's consider all possible options for 2FA.
2FA via SMS
This authentication method requires the user to provide their phone number when setting up their profile for the first time. Then, each time you log in to the system (or for the first time for a new device), the user will have to enter a one-Time confirmation code (One-Time Password, OTP), usually consisting of six digits. This code is sent as a text message to your phone.
Since most people have mobile phones that support SMS, and you don't need to install additional apps, this verification method is probably the most popular one right now.
Problems with 2FA via SMS occur only when the network signal is lost or if there are problems with the phone's performance.
2FA via voice call
This authentication method involves dialing the user's phone number. When you log in to a mobile app, the fact of the call itself is usually enough for authorization, and the app automatically confirms the login. However, in some services, 2FA via a phone call is configured in such a way that you must answer the incoming call, listen to the six-digit code voiced by the robot, and then enter it in the form.
2FA by email
2FA via email works the same as 2FA via SMS, but the one-time confirmation code is sent as an email to the user's email address. One of the options for email authentication is not to enter a code, but to click on a unique link that provides access to the account.
2FA via email requires a mandatory Internet connection to receive the email, although in modern reality this may not be considered a disadvantage. However, what is definitely not an advantage of this method is the frequent identification of such emails as spam. Accordingly, the authorization process may take longer due to the email search.
In addition, it is easy for attackers to hack an account with email authentication, if they already have access to this very mail. When as SMS authentication forces the attacker to be physically close to the victim; steal their phone to spy on the code or resort to a complex SIM-jacking attack.
2FA via TOTP authentication apps
The algorithm temporary one-time password (Time-based One-time Password Algorithm, TOTP) is a form of test which requires the user to install on your smartphone a special application, such as Microsoft Authenticator, Google Authenticator, Yandex Key, etc.
When a user logs in to a particular online service from a new or unknown device, they are prompted to open the authentication app on their mobile phone. The app generates a temporary one-time code, ranging in length from six to eight digits, which is updated every 30 seconds. After entering this code in the appropriate form, the user gets access to the account.
One of the advantages of authenticator apps is that they are easy to implement and use. The user immediately receives a confirmation password, and they don't need to wait for an email or text message. This method is also more reliable than 2FA via SMS, because you can't see the code on the lock screen or on a Bluetooth-connected fitness bracelet. At a minimum, you need to unlock your smartphone, or even enter a separate password to access the TOTP app.
If the user has not set up a single PIN code for all occasions, then it will be extremely difficult to crack it using the TOTP authenticator.
2FA via a hardware key
This method uses physical devices for authorization. This can be, for example, a USB flash drive inserted into your computer, an NFC card, or a TOTP keychain that generates an authorization code every 30/60 seconds.
Hardware keys do not require an internet connection. This is one of the simplest and most secure 2FA methods. However, it can be costly for businesses to produce and maintain such devices on a per-user basis. And if it is critical that the user carries such a key with them, the risk of losing it is also added.
6 ways to bypass two-factor authentication
Despite all the advantages of two-factor authentication, each of the methods described above also has its own vulnerabilities. Below we will describe exactly how hackers can circumvent two-factor authentication.
1. Bypass 2FA using social engineering
Social engineering is a non-technical attack in which an attacker tricks the victim into unknowingly providing important information about a secret code. Already having a username and password to enter, the attacker calls or sends the victim a message with a convincing narrative, urging them to transfer the 2FA code.
In other cases, the attacker already has enough basic information about the victim to call the target service's support service on their behalf. A criminal can impersonate a user and say that their account is blocked, or there are some problems with the authenticator application. If successful, the hacker will get at least one-time access to the victim's account, and if they are lucky, they will reset and change the user password altogether.
2. Bypass 2FA with open authorization (OAuth)
OAuth is an open authorization protocol that provides applications and services with limited access to user data without disclosing the password. For example, to log in to the app, you need to grant partial access to your VK or Facebook account. In this way, the selected application gets part of the account's permissions, but does not store data related to the user's passwords in its databases.
In so-called "consent phishing," the attacker pretends to be a legitimate application with OAuth authorization and sends a message to the victim asking for access. If the victim grants this access, the attacker can do whatever they want within the requested access. Consent phishing allows an attacker to ignore credentials and bypass any configured two-factor authentication.
3. Bypass 2FA with Brute-Force
Sometimes attackers choose the brute-force "brute-force" method, especially if outdated or poorly protected equipment is used. For example, some old TOTP keychains have a code length of only four digits. Hence, they are much easier to crack.
An obstacle for hackers is that one-time codes generated by such keyfobs are only valid for a short time (30/60 seconds). Thus, attackers have a limited number of codes that can be sorted out before they change. And if two-factor authentication is configured correctly, then it will be impossible to implement this type of attack in principle — the user will be blocked after several incorrectly entered OTP codes.
4. Bypassing 2FA with previously generated tokens
Some platforms allow users to generate 2FA codes in advance. For example, in the security settings of your Google account, you can download a document with a certain number of backup codes that can be used in the future to bypass 2FA. This is usually necessary in case of loss of the device used for authentication. But if such a document or at least one of the backup codes falls into the hands of an attacker, they will easily gain access to the account, regardless of the configured two-factor authentication.
5. Bypassing 2FA using Session Cookies
Cookie theft, also known as session hijacking, allows attackers to gain access to an account without knowing any passwords or 2FA codes at all.
When users log in to the site, they don't need to enter a password every time, because the browser stores a special session cookie. It contains information about the user, supports their authentication in the system, and tracks session activity. Session cookies remain in the browser until the user logs out manually. Thus, an attacker can use cookies to their advantage to access the user's account.
Cybercriminals know many methods of account hijacking, such as session hijacking and locking, cross-site scripting, and the use of malware. In addition, attackers often use the Evilginx framework for man-in-the-middle attacks. Using Evilginx, the hacker sends the user a phishing link that redirects them to the login page of a real legitimate site, but through a special malicious proxy. When a user logs in to their account using 2FA, Evilginx captures their login credentials, as well as the authentication code.
Since one-time codes have a limited validity period, and you can't use one code twice, it's much easier for hackers to use the cookie capture method to log in and bypass two-factor authentication.
6. Bypass 2FA with SIM-jacking
SIM-jacking implies that the attacker gains full control over the victim's phone number. Criminals, for example, can get a number of basic data about a user in advance, and then" pretend " to be this very user in the cabin of a mobile operator in order to issue a new SIM card. SIM-jacking is also possible through malicious apps installed on the victim's smartphone.
Control over the user's phone number means that a hacker can intercept one-time codes sent via 2FA via SMS. And since this is the most popular two-factor authentication method, an attacker can break into all the key victim accounts one by one and get full access to the necessary data.
How can 2FA be made even safer?
Despite the vulnerabilities discovered by hackers, two-factor authentication is still the recommended way to protect online accounts. Here are some tips for using 2FA effectively:
Conclusion
Despite the disadvantages and workarounds listed in this article, two-factor authentication is still one of the best ways to protect your accounts. It is enough to follow the recommendations above in order not to leave attackers the slightest chance of compromising your account. We hope that your accounts will never fall into the clutches of scammers, and any confidential data will remain completely safe.
That's all! Thanks for attention.
Two-factor authentication provides an additional layer of protection for your account from cybercriminals, but if you really want to, attackers will still find a way to bypass it. It is understanding how hackers usually circumvent 2FA that will allow you to avoid falling for their possible tricks and protect your account.
- What is two-factor authentication?
- What types of two-factor authentication exist?
- 2FA via SMS
- 2FA via voice call
- 2FA by email
- 2FA via TOTP authentication apps
- 2FA via a hardware key
- 6 ways to bypass two-factor authentication
- 1. Bypass 2FA using social engineering
- 2. Bypass 2FA with open authorization (OAuth)
- 3. Bypass 2FA with Brute-Force
- 4. Bypassing 2FA with previously generated tokens
- 5. Bypassing 2FA using Session Cookies
- 6. Bypass 2FA with SIM-jacking
- How can 2FA be made even safer?
- Conclusion
What is two-factor authentication?
2FA is the second level of authentication, which is used in addition to the classic user name and password combination when logging in to an account. Two-factor authentication can be configured for completely different ways of confirming account ownership. It all depends on the specific needs of the system itself or user preferences.
Sometimes a certain account requires the highest level of protection. Then the so-called "multi-factor authentication" (MFA), which includes several verification factors, comes to the rescue. For example, password + physical token + biometrics. This method of protecting your account is much more reliable than classic two-factor authentication.
What types of two-factor authentication exist?
Some services and applications allow you to choose which type of verification to use in addition to the password, and some do not. Let's consider all possible options for 2FA.
2FA via SMS
This authentication method requires the user to provide their phone number when setting up their profile for the first time. Then, each time you log in to the system (or for the first time for a new device), the user will have to enter a one-Time confirmation code (One-Time Password, OTP), usually consisting of six digits. This code is sent as a text message to your phone.
Since most people have mobile phones that support SMS, and you don't need to install additional apps, this verification method is probably the most popular one right now.
Problems with 2FA via SMS occur only when the network signal is lost or if there are problems with the phone's performance.
2FA via voice call
This authentication method involves dialing the user's phone number. When you log in to a mobile app, the fact of the call itself is usually enough for authorization, and the app automatically confirms the login. However, in some services, 2FA via a phone call is configured in such a way that you must answer the incoming call, listen to the six-digit code voiced by the robot, and then enter it in the form.
2FA by email
2FA via email works the same as 2FA via SMS, but the one-time confirmation code is sent as an email to the user's email address. One of the options for email authentication is not to enter a code, but to click on a unique link that provides access to the account.
2FA via email requires a mandatory Internet connection to receive the email, although in modern reality this may not be considered a disadvantage. However, what is definitely not an advantage of this method is the frequent identification of such emails as spam. Accordingly, the authorization process may take longer due to the email search.
In addition, it is easy for attackers to hack an account with email authentication, if they already have access to this very mail. When as SMS authentication forces the attacker to be physically close to the victim; steal their phone to spy on the code or resort to a complex SIM-jacking attack.
2FA via TOTP authentication apps
The algorithm temporary one-time password (Time-based One-time Password Algorithm, TOTP) is a form of test which requires the user to install on your smartphone a special application, such as Microsoft Authenticator, Google Authenticator, Yandex Key, etc.
When a user logs in to a particular online service from a new or unknown device, they are prompted to open the authentication app on their mobile phone. The app generates a temporary one-time code, ranging in length from six to eight digits, which is updated every 30 seconds. After entering this code in the appropriate form, the user gets access to the account.
One of the advantages of authenticator apps is that they are easy to implement and use. The user immediately receives a confirmation password, and they don't need to wait for an email or text message. This method is also more reliable than 2FA via SMS, because you can't see the code on the lock screen or on a Bluetooth-connected fitness bracelet. At a minimum, you need to unlock your smartphone, or even enter a separate password to access the TOTP app.
If the user has not set up a single PIN code for all occasions, then it will be extremely difficult to crack it using the TOTP authenticator.
2FA via a hardware key
This method uses physical devices for authorization. This can be, for example, a USB flash drive inserted into your computer, an NFC card, or a TOTP keychain that generates an authorization code every 30/60 seconds.
Hardware keys do not require an internet connection. This is one of the simplest and most secure 2FA methods. However, it can be costly for businesses to produce and maintain such devices on a per-user basis. And if it is critical that the user carries such a key with them, the risk of losing it is also added.
6 ways to bypass two-factor authentication
Despite all the advantages of two-factor authentication, each of the methods described above also has its own vulnerabilities. Below we will describe exactly how hackers can circumvent two-factor authentication.
1. Bypass 2FA using social engineering
Social engineering is a non-technical attack in which an attacker tricks the victim into unknowingly providing important information about a secret code. Already having a username and password to enter, the attacker calls or sends the victim a message with a convincing narrative, urging them to transfer the 2FA code.
In other cases, the attacker already has enough basic information about the victim to call the target service's support service on their behalf. A criminal can impersonate a user and say that their account is blocked, or there are some problems with the authenticator application. If successful, the hacker will get at least one-time access to the victim's account, and if they are lucky, they will reset and change the user password altogether.
2. Bypass 2FA with open authorization (OAuth)
OAuth is an open authorization protocol that provides applications and services with limited access to user data without disclosing the password. For example, to log in to the app, you need to grant partial access to your VK or Facebook account. In this way, the selected application gets part of the account's permissions, but does not store data related to the user's passwords in its databases.
In so-called "consent phishing," the attacker pretends to be a legitimate application with OAuth authorization and sends a message to the victim asking for access. If the victim grants this access, the attacker can do whatever they want within the requested access. Consent phishing allows an attacker to ignore credentials and bypass any configured two-factor authentication.
3. Bypass 2FA with Brute-Force
Sometimes attackers choose the brute-force "brute-force" method, especially if outdated or poorly protected equipment is used. For example, some old TOTP keychains have a code length of only four digits. Hence, they are much easier to crack.
An obstacle for hackers is that one-time codes generated by such keyfobs are only valid for a short time (30/60 seconds). Thus, attackers have a limited number of codes that can be sorted out before they change. And if two-factor authentication is configured correctly, then it will be impossible to implement this type of attack in principle — the user will be blocked after several incorrectly entered OTP codes.
4. Bypassing 2FA with previously generated tokens
Some platforms allow users to generate 2FA codes in advance. For example, in the security settings of your Google account, you can download a document with a certain number of backup codes that can be used in the future to bypass 2FA. This is usually necessary in case of loss of the device used for authentication. But if such a document or at least one of the backup codes falls into the hands of an attacker, they will easily gain access to the account, regardless of the configured two-factor authentication.
5. Bypassing 2FA using Session Cookies
Cookie theft, also known as session hijacking, allows attackers to gain access to an account without knowing any passwords or 2FA codes at all.
When users log in to the site, they don't need to enter a password every time, because the browser stores a special session cookie. It contains information about the user, supports their authentication in the system, and tracks session activity. Session cookies remain in the browser until the user logs out manually. Thus, an attacker can use cookies to their advantage to access the user's account.
Cybercriminals know many methods of account hijacking, such as session hijacking and locking, cross-site scripting, and the use of malware. In addition, attackers often use the Evilginx framework for man-in-the-middle attacks. Using Evilginx, the hacker sends the user a phishing link that redirects them to the login page of a real legitimate site, but through a special malicious proxy. When a user logs in to their account using 2FA, Evilginx captures their login credentials, as well as the authentication code.
Since one-time codes have a limited validity period, and you can't use one code twice, it's much easier for hackers to use the cookie capture method to log in and bypass two-factor authentication.
6. Bypass 2FA with SIM-jacking
SIM-jacking implies that the attacker gains full control over the victim's phone number. Criminals, for example, can get a number of basic data about a user in advance, and then" pretend " to be this very user in the cabin of a mobile operator in order to issue a new SIM card. SIM-jacking is also possible through malicious apps installed on the victim's smartphone.
Control over the user's phone number means that a hacker can intercept one-time codes sent via 2FA via SMS. And since this is the most popular two-factor authentication method, an attacker can break into all the key victim accounts one by one and get full access to the necessary data.
How can 2FA be made even safer?
Despite the vulnerabilities discovered by hackers, two-factor authentication is still the recommended way to protect online accounts. Here are some tips for using 2FA effectively:
- If possible, use authenticator apps instead of simple SMS authentication, as apps are much more secure, and a one-time code can't be spied on without full access to your smartphone.;
- Never share one-time or backup security codes with anyone;
- Use long security codes that contain more than six characters (if the service allows such settings);
- Do not use simple passwords to protect your account. It is better to generate a password in the generator and use it in conjunction with the password manager;
- Don't use the same password on critical accounts;
- Use physical security keys as an alternative form of authentication;
- Check out popular social engineering tactics to avoid becoming a victim of fraud.;
- If we are talking about a company with a certain staff, it is not superfluous to use the services of a private security consultant.
Conclusion
Despite the disadvantages and workarounds listed in this article, two-factor authentication is still one of the best ways to protect your accounts. It is enough to follow the recommendations above in order not to leave attackers the slightest chance of compromising your account. We hope that your accounts will never fall into the clutches of scammers, and any confidential data will remain completely safe.
That's all! Thanks for attention.
