5 ways hackers can bypass two-factor authentication
For several years now, two-factor authentication (2FA) has been heralded as the answer to protecting sensitive accounts. For both businesses and regular people, the added security provided by requiring a code from your phone or email gave peace of mind that personal information was well-protected.
As well as codes, other forms of authentication such as biometrics, physical authentication tokens, and even being connected to a network from a specific computer have become prevalent.
Unfortunately, cybercriminals have adapted to 2FA. In late 2019, the FBI issued a first warning about increasing examples of cyber-attacks bypassing 2FA.
This has raised the question, is 2FA enough now to protect our business-critical assets and personal information from attacks?
How does 2FA work in practice?
We’ve covered what 2FA is, but it’s important to know how it works from a security perspective. When you try to log in to an account, whether it’s for your business or personal use, you must always enter either a username or email address and your password. This is one factor.
When a 2FA is enabled, you must provide a second type of proof that the account belongs to you before you are allowed to enter.
As we mentioned previously, this could include:
Biometrics, such as a fingerprint, iris scan, voice, facial recognition, etc.
A hardware security token, such as a USB stick or authenticator
A phone call, email, or SMS that provides a unique code
A passcode or push notification sent via a mobile app
Why do I need 2FA?
Before we look at why 2FA might not be enough anymore, it’s important to state the reasons why 2FA is still so important for businesses and individuals.
In day-to-day use, 2FA provides a lot more protection than just using a password for your accounts. If you are tricked into giving your password away, a cybercriminal would still need to find a way to bypass your second authentication method, buying you time to change your password and further secure your account.
Alongside a strong, unique password, a second authentication method is often enough for individuals. However, as we will cover, it’s not as secure as it used to be.
1. Bypassing 2FA by utilising a password reset function
One of the most common ways that cybercriminals bypass 2FA is by utilising a website or apps password reset function. If you’ve ever received a random password request in your email inbox, chances are someone was trying to do this to you.
If a hacker has accessed your email account, using a password reset request effectively bypasses 2FA on many platforms. The reason for this is that some websites or apps don’t require you to input your second authentication in these cases.
If you ever receive a random password reset request, you should do two things:
Immediately reset your email password
Reset the password of the account that you received the request for
Remember to use strong, unique passwords with a mixture of uppercase and lowercase letters and symbols.
2. Bypassing 2FA by utilising OAuth
OAuth integration within websites or apps allows users to use a third-party account to log in. This might include logging in using Facebook or Google, which is becoming more and more common.
If you have “created” an account through a website using this method, cybercriminals can bypass 2FA quite easily. If they already have access to your Facebook or Google account, for example, they can simply log in to that, go onto the website or app, and log in.
The easiest way to avoid an attack of this kind is to:
Never create an account on a website or app by using a third-party account
If you have any accounts created this way, ensure that you have MFA in place on the third-party accounts, as well as utilising strong, unique passwords
3. Bypassing 2FA using brute force
Brute forcing is a technique that has been utilised by hackers for decades. 2FA can also be brute-forced if the website or application doesn’t enforce account lockouts for a predetermined number of incorrect attempts.
There’s not much you can do about this from a user perspective, as it’s a shortcoming of the platform that your account is on. However, you can:
Avoid using websites or apps where there isn’t an enforced number of account sign-in attempts
If you receive an email from a platform stating that you have tried to log in numerous times without success, reset your password immediately
4. Bypassing 2FA using previously generated codes or tokens
Occasionally, platforms offer users the option of generating 2FA login tokens in advance. Often, this will take the form of a document or PDF with a pre-set number of codes supplied.
If a cybercriminal gains access to this document through an email or direct cyber-attack, they can easily bypass the 2FA restrictions for that platform. To avoid situations like this:
Never use a platform that pre-generates 2FA tokens without password-protecting the document
Delete any emails or communications that contain the document immediately after saving them to your computer
When saving to your computer, store it in a secure, password-protected folder and don’t place this folder on your desktop
5. Bypassing 2FA using social engineering
Social engineering covers a wide variety of techniques by which cybercriminals can gain access to 2FA codes. One of the most common ways that individuals or businesses are caught out is if the hacker already has their username and password, but not access to their email accounts or any other method of 2FA.
Their strategy is often as simple as creating a fraudulent email requesting the 2FA code that appears as if it is from the platform in question. Once they receive the code back, they can log in.
Another method is by utilising a technique called phishing. In this case, the hacker doesn’t even require your username and password. Rather, they create a fraudulent webpage which is an almost exact copy of the actual website or applications login page. Once you input your username and password, the hacker also receives them. The same technique is used for the 2FA code.
Whilst these aren’t the only social engineering techniques for bypassing 2FA, they are a representative indication of the ways cybercriminals gain access to accounts.
All of this begs the question, what can we do instead of using 2FA? How can we protect our accounts further and make it even more difficult to bypass authentication methods?
The answer is multi-factor authentication (MFA). Simply put, MFA utilises 3 or more methods of authentication for logging into an account.
We would advise that, wherever possible, you use MFA rather than 2FA. This makes it almost impossible for hackers to gain access to your accounts without advanced phishing.
Finally, here are some extra tips for securing your accounts against cyber criminals:
Always use strong, unique passwords. Many password managers offer a password generation service for this purpose. If possible, use a password with 12 or more characters, including uppercase and lowercase letters, numbers, and special characters
Rather than relying on SMS or email codes, utilise authenticator apps where possible, such as Microsoft Authenticator
Educate yourself, your loved ones, and your employees on common social engineering tactics employed by cybercriminals, including phishing
Adopt MFA for your accounts whenever possible, especially if it contains sensitive or personal information