You may think that once you have implemented two-factor authentication (2FA), all your employees are safe.While 2FA is one of the best ways to add an additional layer of security on top of user credentials, it can still be bypassed. We will show you how easy it can be to bypass it.Just last Fall, the FBI warned the public about the rising threat against organizations and their employees and how common social engineering techniques are used to bypass 2FA.
What is two-factor authentication?
Two-factor authentication is used on top of the user’s password when logging into an account as a second form of authentication. The second layer of authentication can be a code provided through a text message, authenticator applications, or it can be made up of a fingerprint or face recognition.Two-factor authentication is a subset of multi-factor authentication. In the case of multi-factor authentication, the user is required to identify himself/herself in more than two different ways.
How does two-factor authentication work?
Two-factor authentication always requires a second form of identification. When you try to log in to an account, first, you must enter your username and password.When the two-factor authentication is enabled, you will need to provide a second form of proof that you are the owner of the account before you can access it.
Why do you need two-factor authentication?
Two-factor authentication is an added layer of security. Even if you accidentally gave away your password, hackers would need to get access to the second form of identification before they could enter your account. It’s strongly recommended that you turn on two-factor authentication for any essential account if possible. It’s an extra layer of security that keeps you mostly secure. Unless, of course, you fall victim to social engineering, and you give away the two-factor authentication code yourself. If you are looking for an authenticator application, here are some smartphone apps you can consider:
- Google Authenticator
- Microsoft Authenticator
- Salesforce Authenticator
- SecureAuth
- Duo Security
- Symantec VIP
- Transakt
- LastPass Authenticator
And you may also want to consider investing in security awareness training to help safeguard your employees against social engineering.
How hackers are using social engineering techniques to bypass two-factor authentication
While organizations consider two-factor authentication a secure way of identification for access, there are fairly simple techniques for bypassing 2FA.In most of the cases, we assume that the attackers already have the user’s password.
1. Bypassing 2FA with conventional session management
In this case, attackers use the password reset function because, often, 2FA is not implemented on the system’s login page after a password reset.How does it work in practice?
- The attacker clicks on the ‘change password’ link.
- The attacker requests the password reset token.
- The attacker uses the password reset token.
- The attacker logs into the web application.
Using this method, attackers can bypass the two-factor authentication in certain platforms where the architecture of the site or platform makes it possible.
2. Bypassing 2FA using OAuth
OAuth integration allows users to log into their account using a third-party account. This means that you would have an alternative option to sign into a platform with your Facebook or Gmail accounts.How does OAuth work?
- The site requests an authentication token from the third-party site (e.g., Facebook).
- Facebook (or another third-party site) verifies the user account.
- Facebook (or another third-party site) sends a callback code.
- The site logs the user in.
Here, the attackers don’t even need to use 2FA if they, for example, have the user’s Facebook or Gmail username and password.
3. Bypassing 2FA using brute force
When the length of the two-factor authentication code is four to six characters (often just numbers), it makes it possible for attackers to bypass 2FA by using brute-force against the account.
4. Bypassing 2FA using earlier-generated tokens
Some platforms offer the possibility for users to generate tokens in advance, such as a document with a certain number of codes, to be used later for bypassing 2FA.If an attacker gets access to the document, they can easily use it to bypass 2FA, assuming that they also have the password of the user.
5. Bypassing 2FA using social engineering
Case 1
In this case, too, we assume that the attacker has a hold of the user’s username and password.To attain the 2FA code, the attackers could send an email to you with a made-up excuse to request the verification code that was sent to your number. Once you send them the code, the attacker will be able to bypass the 2FA.
Case 2
Even when the attackers don’t have your username and password, they could bypass 2FA by getting you to click on a link and go to a phishing website that mimics a real website, such as LinkedIn. The email would look like it comes from the service provider itself.When you provide your login credentials on the fake page, the hacker can use it to sign in on the real website. At that point, you receive a code, and once you enter it on the fake website, the hacker gets the code as well. They can then successfully breach your account.
Stay safe when using 2FA
Despite the flaws that we outlined above, two-factor authentication is still a great way to secure your accounts.Here are a couple of tips on how to stay safe while using two-factor authentication:
- Use authenticator apps like Google or Microsoft Authenticator whenever possible instead of text message codes.
- Never share security codes with anyone.
- If possible, use codes with characters of more than 4 to 6.
- If you are unsure about your security, double-check with someone else about what you should do.
- Use difficult passwords – use a password generator and a password manager.
- Never reuse passwords.
- Consider using a security key as an alternative form of authentication used in 2FA.
- Care about your security and understand common social engineering tactics. Provide your employees with knowledge, skills, and tools so they would know what they are facing.
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt