We consider in detail the advantages and disadvantages of the most popular way to protect accounts on the Internet.
Account security best practices include two-factor authentication (2FA). It is used everywhere for both corporate and personal user accounts around the world. In the classical sense, this authentication method involves the delivery of a special code to the phone or email, which must be entered after entering the account password. However, there are other forms of 2FA that we will discuss in this article.
Two-factor authentication provides an additional layer of account protection against cybercriminals, but with a strong desire, attackers will still find a way to bypass it. It is understanding how hackers usually bypass 2FA that will allow you not to fall for their possible tricks and secure your account.
What is two-factor authentication?
2FA is a second level of authentication that is used in addition to the classic combination of a username and password when logging into an account. Two-factor authentication can be configured to provide completely different ways to verify account ownership. It all depends on the specific needs of the system itself or user preferences.
Sometimes a particular account needs the highest level of protection. Then the so-called “multi-factor authentication” (MFA) comes to the rescue, which includes several verification factors. For example, password + physical token + biometrics. This method of protecting an account is much more reliable than classic two-factor authentication.
What types of two-factor authentication are there?
Some services and applications allow you to choose which type of verification in addition to your password to use, and some do not. Consider all possible options for 2FA.
2FA by SMS
This authentication method requires the user to provide their phone number when they first set up the profile. Then, at each login (or the first for a new device), the user will be required to enter a one-time verification code (One-Time Password, OTP), which usually consists of six digits. This code comes as a text message to your phone.
Since most people have SMS-enabled mobile phones and no additional apps need to be installed, this verification method is probably the most popular one right now.
Problems with 2FA via SMS only occur when the network signal is lost or if there are problems with the phone's performance.
2FA via voice call
This authentication method involves dialing the user's phone. When you enter any mobile application, the very fact of a call is usually enough for authorization, and the application automatically confirms the entry. But in some services, 2FA via a phone call is configured in such a way that you must answer the incoming call, listen to the six-digit code voiced by the robot, and then enter it in the form.
2FA by email
2FA by email works in the same way as 2FA by SMS, but the one-time verification code is sent as an email to the user's mailbox. One of the email authentication options is not to enter a code, but to follow a unique link, which provides access to the account.
2FA by email requires an Internet connection to receive an email, although in modern realities this may not be considered a disadvantage. However, what is definitely not the advantage of this method is the frequent definition of such emails as spam. Accordingly, the authorization process may take more time due to the search for a letter.
In addition, it's easy for attackers to hack into an email-authenticated account if they already have access to that very email. When as SMS authentication forces the attacker to be physically close to the victim; steal his phone to peep the code or resort to sophisticated SIM-jacking attack.
2FA via TOTP Authentication Apps
The Time-based One-time Password Algorithm (TOTP) is a form of verification that requires the user to install a special application on their smartphone, such as Microsoft Authenticator, Google Authenticator, Yandex Key, etc.
When a user accesses a particular online service from a new or unknown device, they are prompted to open an authentication app on their mobile phone. The application generates a temporary one-time code, six to eight digits long, which is updated every 30 seconds. After entering this code in the appropriate form, the user gets access to the account.
One of the benefits of authenticator apps is that they are easy to implement and use. The user immediately receives a password for confirmation, and
One of the benefits of authenticator apps is that they are easy to implement and use. The user immediately receives a password for confirmation, and he does not need to wait for a letter or SMS. This method is also more secure than 2FA by SMS, because the code cannot be seen on the lock screen or a Bluetooth-linked fitness bracelet. The smartphone must at least be unlocked, and maybe even enter a separate password to access the TOTP application.
If the user has not set up one PIN for all occasions, then it will be extremely difficult to crack it using a TOTP authenticator.
2FA via hardware key
This method uses physical devices for authorization. This can be, for example, a USB flash drive inserted into a computer, an NFC card or a TOTP key fob that generates an authorization code every 30/60 seconds.
Hardware keys do not require an internet connection. This is one of the simplest and most secure 2FA methods. However, the production and maintenance of such devices for each user can be costly for businesses. And if it is critical that the user carries such a key with him, the risk of losing it is also added.
6 Ways to Bypass Two-Factor Authentication
Despite all the advantages of two-factor authentication, each of the above methods has its own vulnerabilities. Below we describe ways exactly how hackers can bypass two-factor authentication.
1. Bypass 2FA with Social Engineering
Social engineering is a non-technical attack by which an attacker tricks a victim into unknowingly providing important information about a secret code. With the username and password already in hand, the attacker calls or sends a message to the victim with a convincing narrative, urging them to pass on the 2FA code.
In other cases, the attacker already has enough basic information about the victim to call the target service's help desk on their behalf. A criminal can impersonate a user and say that their account is blocked, or there is some kind of problem with the authenticator application. If successful, the hacker will at least get one-time access to the victim's account, and if they're lucky, they will reset and change the user's password altogether.
2. Bypass 2FA with open authorization (OAuth)
OAuth is an open authorization protocol that provides applications and services with limited access to user data without revealing the password. For example, to enter the application, you need to give permission for partial access to your VK or Facebook account. Thus, the selected application receives part of the account's authority, but does not store data related to the user's passwords in its databases.
In what is known as consent phishing, an attacker pretends to be a legitimate application with OAuth authorization and sends a message to the victim asking for access. If the victim grants such access, the attacker will be able to do whatever he pleases within the requested access. Consent phishing allows an attacker to ignore credentials and bypass any configured two-factor authentication.
3. Bypass 2FA with Brute-Force
Sometimes attackers choose a brute force "brute force attack" method, especially if they use outdated or weakly protected hardware. For example, some old TOTP key fobs are only four digits long. Hence, they are much easier to hack.
An obstacle for hackers is that one-time codes generated by such key fobs are only valid for a short time (30/60 seconds). Thus, attackers have a limited number of codes that can be sorted out before they change. And if two-factor authentication is configured correctly, then it will be basically impossible to implement an attack of this type - the user will be blocked after several incorrectly entered OTP codes.
4. Bypass 2FA with previously generated tokens
Some platforms allow users to pre-generate 2FA codes. For example, in the security settings of a Google account, you can download a document with a certain number of backup codes that can be used in the future to bypass 2FA. This is usually necessary in case the device used for authentication is lost. But if such a document or at least one of the backup codes falls into the hands of an attacker, he will easily gain access to the account, regardless of the configured two-factor authentication.
5. Bypass 2FA with Session Cookies
Cookie theft, also known as session hijacking, allows attackers to gain access to an account without knowing any passwords or 2FA codes at all.
When users enter the site, they do not need to enter a password each time, because the browser stores a special session cookie. It contains information about the user, supports his authentication in the system and keeps track of session activity. Session cookies remain in the browser until the user manually logs out. Thus, an attacker can use the cookie to their advantage to access the user's account.
Cybercriminals are aware of many methods of account hijacking, such as session hijacking and fixation, cross-site scripting, and the use of malware. In addition, attackers often use the Evilginx framework for man-in-the-middle attacks. Using Evilginx, the hacker sends a phishing link to the user, which redirects him to the login page of a real legitimate site, but through a special malicious proxy. When a user logs into their account using 2FA, Evilginx captures their login credentials as well as an authentication code.
Since one-time codes expire and cannot be used twice, it is much easier for hackers to use the cookie hijacking method to log in and bypass two-factor authentication.
6. Bypass 2FA with SIM-jacking
The SIM-jacking attack implies that the attacker gains full control over the victim's phone number. Criminals, for example, can obtain a set of basic data about a user in advance, and then “pretend to be” this same user in the salon of a mobile operator in order to issue a new SIM card. SIM-jacking is also possible through malicious applications installed on the victim's smartphone.
Control over the user's phone number means that a hacker can intercept one-time codes sent via 2FA via SMS. And since this is the most popular two-factor authentication method, an attacker can hack into all the key accounts of the victim one by one and get full access to the necessary data.
How can 2FA be made even more secure?
Despite the vulnerabilities discovered by hackers, two-factor authentication is still the recommended way to secure online accounts. Here are some tips for using 2FA effectively:
if possible, use authenticator apps instead of simple SMS authentication, as apps are much safer and the one-time code cannot be peeped without full access to the smartphone;
never give one-time or backup security codes to anyone;
use long security codes containing more than six characters (if the service allows such settings);
do not use simple passwords to protect your account, it is better to generate a password in a generator and use it in conjunction with a password manager;
do not use the same password in critical accounts;
use physical security keys as an alternative form of authentication;
check out popular social engineering tactics to avoid being scammed;
if we are talking about a company with a certain staff, it will not be superfluous to use the services of a private security consultant.