Two-factor authentication is common but hackable. If you haven't implemented 2FA, there's a good chance you're in the process. It's a growing best practice, especially in the workplace where growing stores of sensitive data demand employees strengthen their login security.
But 2FA isn't a guaranteed shield against cyberattacks. It can be bypassed, as most recently demonstrated by KnowBe4 chief hacking officer Kevin Mitnick in a hack last week. Mitnick used a phishing attack to prompt users for their LinkedIn credentials. When they were entered into the fake login page, the attacker could access their username, password, and session cookie. When Mitnick plugged the target's session cookie into his browser, he didn't need the second-factor code to log into the LinkedIn account.
Cracking 2FA isn't new; hackers have presented these types of exploits as concepts at conferences like Black Hat. But Mitnick's demo put the code into context for everyday users and showed them their second factor is hackable.
A challenge with implementing two-factor authentication is enforcing a policy that employees may consider inconvenient.
"It's always a matter of trying to balance usability and security," says Joe Diamond, director of security product management at Okta. Most companies err on the side of usability to stay on employees' good sides, but they run the risk of neglecting stronger security factors.
Here, we take a closer look at cyberattacks that can bypass two-factor authentication: how they are done, when they typically happen, which methods are most and least common, and how you can protect your employees from these types of exploits.