You may think that once you have implemented two-factor authentication (2FA), all your employees are safe.While 2FA is one of the best ways to add an additional layer of security on top of user credentials, it can still be bypassed. We will show you how easy it can be to bypass it.Just last Fall, the FBI warned the public about the rising threat against organizations and their employees and how common social engineering techniques are used to bypass 2FA.
Two-factor authentication is used on top of the user’s password when logging into an account as a second form of authentication. The second layer of authentication can be a code provided through a text message, authenticator applications, or it can be made up of a fingerprint or face recognition.Two-factor authentication is a subset of multi-factor authentication. In the case of multi-factor authentication, the user is required to identify himself/herself in more than two different ways.
Two-factor authentication always requires a second form of identification. When you try to log in to an account, first, you must enter your username and password.When the two-factor authentication is enabled, you will need to provide a second form of proof that you are the owner of the account before you can access it.
Two-factor authentication is an added layer of security. Even if you accidentally gave away your password, hackers would need to get access to the second form of identification before they could enter your account.It’s strongly recommended that you turn on two-factor authentication for any essential account if possible. It’s an extra layer of security that keeps you mostly secure.Unless, of course, you fall victim to social engineering, and you give away the two-factor authentication code yourself.If you are looking for an authenticator application, here are some smartphone apps you can consider:
Start training employees against social engineering
While organizations consider two-factor authentication a secure way of identification for access, there are fairly simple techniques for bypassing 2FA.In most of the cases, we assume that the attackers already have the user’s password.
In this case, attackers use the password reset function because, often, 2FA is not implemented on the system’s login page after a password reset.How does it work in practice?
Using this method, attackers can bypass the two-factor authentication in certain platforms where the architecture of the site or platform makes it possible.
OAuth integration allows users to log into their account using a third-party account. This means that you would have an alternative option to sign into a platform with your Facebook or Gmail accounts.How does OAuth work?
Here, the attackers don’t even need to use 2FA if they, for example, have the user’s Facebook or Gmail username and password.
When the length of the two-factor authentication code is four to six characters (often just numbers), it makes it possible for attackers to bypass 2FA by using brute-force against the account.
Some platforms offer the possibility for users to generate tokens in advance, such as a document with a certain number of codes, to be used later for bypassing 2FA.If an attacker gets access to the document, they can easily use it to bypass 2FA, assuming that they also have the password of the user.
Case 1
In this case, too, we assume that the attacker has a hold of the user’s username and password.To attain the 2FA code, the attackers could send an email to you with a made-up excuse to request the verification code that was sent to your number. Once you send them the code, the attacker will be able to bypass the 2FA.
Even when the attackers don’t have your username and password, they could bypass 2FA by getting you to click on a link and go to a phishing website that mimics a real website, such as LinkedIn. The email would look like it comes from the service provider itself.When you provide your login credentials on the fake page, the hacker can use it to sign in on the real website. At that point, you receive a code, and once you enter it on the fake website, the hacker gets the code as well. They can then successfully breach your account.
Despite the flaws that we outlined above, two-factor authentication is still a great way to secure your accounts.Here are a couple of tips on how to stay safe while using two-factor authentication:
