Cracking 2FA: How It's Done and How to Stay Safe
Two-factor authentication is a common best security practice but not ironclad. Here's how it can be bypassed, and how you can improve security.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2866cd7de3c2aff1/64f0d62a22fa756eacd8ce3d/2fa-socialengineer.jpg?width=700&auto=webp&quality=80&disable=upscale)
Two-factor authentication is common but hackable. If you haven't implemented 2FA, there's a good chance you're in the process. It's a growing best practice, especially in the workplace where growing stores of sensitive data demand employees strengthen their login security.
But 2FA isn't a guaranteed shield against cyberattacks. It can be bypassed, as most recently demonstrated by KnowBe4 chief hacking officer Kevin Mitnick in a hack last week. Mitnick used a phishing attack to prompt users for their LinkedIn credentials. When they were entered into the fake login page, the attacker could access their username, password, and session cookie. When Mitnick plugged the target's session cookie into his browser, he didn't need the second-factor code to log into the LinkedIn account.
Cracking 2FA isn't new; hackers have presented these types of exploits as concepts at conferences like Black Hat. But Mitnick's demo put the code into context for everyday users and showed them their second factor is hackable.
A challenge with implementing two-factor authentication is enforcing a policy that employees may consider inconvenient.
"It's always a matter of trying to balance usability and security," says Joe Diamond, director of security product management at Okta. Most companies err on the side of usability to stay on employees' good sides, but they run the risk of neglecting stronger security factors.
Here, we take a closer look at cyberattacks that can bypass two-factor authentication: how they are done, when they typically happen, which methods are most and least common, and how you can protect your employees from these types of exploits.
"The most obvious, and the way the majority of attackers go after two-factor authentication, is via social engineering types of attacks," says Steve Manzuik, director of security research at Duo Security. Attackers who want to bypass the second factor typically steal it from their victims.
"I'd be shocked if we found a two-factor vendor who wasn't generating those codes securely," he says. This isn't to say someone hasn't done it wrong, he continues, but most companies do it well. This motivates attackers to take codes from their victims instead of generating their own.
These are specially targeted attacks, he continues. "One of the big misconceptions is people assume attacking two-factor is something that can happen on a mass scale ... because of the way two-factor works, it's more of a targeted attack scenario."
The target of a 2FA attack depends on the attacker's motivations. If your organization has execs or senior engineers you've identified as likely targets, they probably are. "A smart attacker is going to target the people who have access to whatever they're trying to get at," Manzuik says.
This is the most common way of cracking two-factor authentication, Manzuik says, but it's not as simple as spamming an entire organization with malware. You can't simply send a mass email and wait for someone to click the link. Bypassing 2FA is sneakier and more intensive.
"It relies on the user to not be suspicious in any way," he adds.
Hackers need to know their targets: who they are, how they're using two-factor, and where they're located. The phishing email needs to convince the target they're logging into a legitimate portal. For example, if a target is using a one-time passcode as 2FA for their Gmail account, the attacker would have to know so they can duplicate the login page and convince the person to enter their username and password.
While timing depends on the attacker, Manzuik says it makes the most sense for them to act during the workday because it's when people expect to receive one-time codes. If they're prompted for a two-factor code in the middle of the night, targets will be suspicious.
For phishing one-time passcodes, timing is crucial. When the user receives the passcode it has to be valid long enough to them to use it. But the timing is only critical for access: once an attacker collects credentials and gains access, they can sit on the network, move across it, or use their position within the company to target the victim's friends or colleagues.
This means of bypassing 2FA is possible but uncommon, explains Manzuik, who says it has been seen in the wild. All major phone carriers are on the SS7 network and there have been targeted scenarios in which an attacker gains access to the network.
How this works: if you have two-factor authentication and receive a one-time passcode to your phone, a hacker who has access to the SS7 network can intercept the message if they have your phone number, he says. SS7 network administrators have been attacked for their credentials; once an attacker has those, they can access systems on the network.
This lesser-known method is gaining more popularity but presents a higher risk to the attacker. SS7 is an old technology based on old architecture, and there are a lot of security issues there, Manzuik says.
Manzuik points to an attack that he says hasn't been seen in the wild yet, but which is possible and already generating conversation among security pros. It involves an attacker getting on someone's desktop and planting malware that could compromise the two-factor process.
The effectiveness of this technique would depend on the form and implementation of two-factor authentication, he explains. As people move away from one-time passcodes and on to other types of 2FA, we'll see attackers explore other ways to bypass the added security.
Two-factor authentication requires users to provide two proofs of identity to log into an account, typically a password and one-time code sent via email or text. Multi-factor authentication (MFA) grants access based on several data points; in looking at multiple attributes, it strengthens the likelihood that a person is whom they claim to be.
"You don't want to rely on any one piece of information by itself," says Diamond. "You want to look at multiple pieces of information to derive a conclusion."
The downside of MFA is the more factors you require, the more likely you are to inconvenience end users. Employees may be required to authenticate multiple times a day or coordinate hard tokens with digital ones. IT teams may also be challenged to implement MFA with several different systems and applications.
One-time passcodes are a popular form of 2FA but also the most bypassed. "It's probably the least desirable of certain two-factor experiences," says Diamond. Tokens can be phished or affected by social engineering attacks or man-in-the-middle attacks.
Authenticator apps provide more context around an authentication request such as the city, IP address, and time of request. More details make it easier to securely approve or deny a request, he adds. These apps simply require users to press a push notification to authenticate themselves without entering a one-time code. The push function eliminates the need for text-based passcodes and is more resilient to phishing. While it doesn't make users 100% secure, he explains, it raises the bar high enough that an attacker would probably give up and move on.
"To attack those methods of two-factor you're really going to rely on the user to be fooled," he continues. However, it has happened. Manzuik says attackers try to place fake authenticator apps onto app stores to trick users into downloading and submitting their credentials.
Diamond also recommends physical security keys like the YubiKey, which he puts at the opposite end of the security spectrum from one-time passcodes. It's high-assurance, he says, because there's no way to phish a UBI key. That said, it also requires employees to insert a physical token into their USB port.
"The problem with these types of attacks, from a defense perspective, is it really does rely on users making the correct decisions -- and sometimes that's difficult for users to do," says Manzuik. It comes down to giving people a "healthy level of paranoia" by training them on threats and how they can recognize and respond to them. This means doing more than simply tricking people with a fake phishing attack; you also need to tell them where they went wrong and how to spot a potentially malicious message.
Diamond agrees end users not only need to be educated on the benefits of two-factor authentication but how to properly share information online. "We've been kind enough to give threat actors everything they could want to know in order to target us," he says. Social media is a gold mine for hackers who want to know names, addresses, friends, and family members.
"We have to divulge a little bit less about ourselves across the various mediums," he says. As for 2FA, "it's going to be a necessity," he emphasizes. "We're coming to a place in which this is no longer an option; this is something you have to have."
"The problem with these types of attacks, from a defense perspective, is it really does rely on users making the correct decisions -- and sometimes that's difficult for users to do," says Manzuik. It comes down to giving people a "healthy level of paranoia" by training them on threats and how they can recognize and respond to them. This means doing more than simply tricking people with a fake phishing attack; you also need to tell them where they went wrong and how to spot a potentially malicious message.
Diamond agrees end users not only need to be educated on the benefits of two-factor authentication but how to properly share information online. "We've been kind enough to give threat actors everything they could want to know in order to target us," he says. Social media is a gold mine for hackers who want to know names, addresses, friends, and family members.
"We have to divulge a little bit less about ourselves across the various mediums," he says. As for 2FA, "it's going to be a necessity," he emphasizes. "We're coming to a place in which this is no longer an option; this is something you have to have."
Two-factor authentication is common but hackable. If you haven't implemented 2FA, there's a good chance you're in the process. It's a growing best practice, especially in the workplace where growing stores of sensitive data demand employees strengthen their login security.
But 2FA isn't a guaranteed shield against cyberattacks. It can be bypassed, as most recently demonstrated by KnowBe4 chief hacking officer Kevin Mitnick in a hack last week. Mitnick used a phishing attack to prompt users for their LinkedIn credentials. When they were entered into the fake login page, the attacker could access their username, password, and session cookie. When Mitnick plugged the target's session cookie into his browser, he didn't need the second-factor code to log into the LinkedIn account.
Cracking 2FA isn't new; hackers have presented these types of exploits as concepts at conferences like Black Hat. But Mitnick's demo put the code into context for everyday users and showed them their second factor is hackable.
A challenge with implementing two-factor authentication is enforcing a policy that employees may consider inconvenient.
"It's always a matter of trying to balance usability and security," says Joe Diamond, director of security product management at Okta. Most companies err on the side of usability to stay on employees' good sides, but they run the risk of neglecting stronger security factors.
Here, we take a closer look at cyberattacks that can bypass two-factor authentication: how they are done, when they typically happen, which methods are most and least common, and how you can protect your employees from these types of exploits.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024