2FA is a second level of authentication that is used in addition to the classic username and password combination when logging into an account. Two-factor authentication can be configured to provide completely different ways of confirming account ownership. It all depends on the specific needs of the system itself or the user’s preferences.
Sometimes a particular account needs the highest level of security. That’s when so-called “multi-factor authentication” (MFA) comes to the rescue, which includes several verification factors. For example, the password is a physical biometric token. This method of account security is much more secure than classic two-factor authentication.
What types of two-factor authentication exist?- 2FA via text message
- 2FA via voice call
- 2FA via email
- 2FA using TOTP authentication applications
- 2FA via hardware key
6 ways to bypass two-factor authentication
Despite all the benefits of two-factor authentication. Fiction, each of the above methods has its own vulnerabilities. Below are the exact ways hackers can bypass two-factor authentication.
1. Social engineering is a non-technical attack by which the attacker tricks the victim into unknowingly providing important information about a secret code. With a username and password, the attacker calls or sends a persuasive message to the victim, urging them to hand over the 2FA code. In other cases, the attacker already has enough basic information about the victim to call the target service on their behalf. The perpetrator may impersonate the user and say that their account is blocked or that there is some problem with the authentication application. If successful, the hacker will gain at least one access to the victim’s account and, with any luck, reset and completely change the user’s password.
2. 2FA bypass with Open Authentication (OAuth) OAuth is an open authentication protocol that gives applications and services limited access to user data without revealing the password. For example, to log into an app, you have to give permission for partial access to your VK or Facebook account. In this way, the selected app receives some of the account’s credentials, but does not store data related to user passwords in its databases. In so-called consent phishing, the attacker pretends to be a legitimate application with OAuth authorization and sends the victim a message requesting access. If the victim grants this access, the attacker can do whatever he or she wants within the requested access. Consent phishing allows the attacker to bypass credentials and any configured two-factor authentication.
3: Bypassing 2FA with brute force Sometimes hackers choose the brute-force method, especially if you’re using older or weaker equipment. For example, some older TOTP key fobs have only four digits. That makes them much easier to hack. One obstacle for hackers is that the unique codes generated by these key fobs are only valid for a short time (30/60 seconds). Thus, attackers have a limited number of codes to crack before they change. And if two-factor authentication is configured correctly, such an attack will be impossible in principle: the user will be blocked after a few incorrectly entered OTP codes.
4: Bypassing 2FA with previously generated tokens Some platforms allow users to pre-generate 2FA codes. For example, in the security settings of a Google account, you can upload a document with a certain number of security codes, which can then be used to bypass 2FA. This is usually necessary if you lose the device used for authentication. But if that document, or even one of the security codes, falls into the hands of an attacker, they will easily gain access to the account, regardless of the two-factor authentication set up.
5. Bypassing 2FA with session cookies Cookie theft, also known as session hijacking, allows attackers to gain access to an account without knowing passwords or 2FA codes. When users visit a site, they don’t have to enter a password every time because the browser stores a special session cookie. It contains information about the user, maintains their authentication to the system, and tracks their session activity. The session cookie remains in the browser until the user manually logs out. Thus, an attacker can use the cookie to their advantage to gain access to the user’s account. Cybercriminals are aware of many methods of account hijacking, including session hijacking and session hijacking, cross-site scripting, and the use of malware. In addition, attackers often use the Evilginx framework for man-in-the-middle attacks. Using Evilginx, the hacker sends the user a phishing link that redirects them to a login page to a real legitimate site, but through a special malicious proxy. When the user logs into their account using 2FA, Evilginx captures their login credentials as well as their authentication code. Since one-time codes expire and cannot be used twice, it is much easier for hackers to use the cookie hijacking method to log in and bypass two-factor authentication.
6. Bypassing two-factor authentication with a SIM connector A SIM-connect attack assumes that the attacker has full control over the victim’s phone number. Criminals can, for example, obtain a set of basic user data in advance and then “pretend” to be that user.
