Two-factor authentication (2FA) is a security measure that comes standard on almost every software, platform, and online service today. Its concept is simple: rather than simply relying on a username and password to log in to an account, 2FA requires an additional piece of information to grant access, usually in the form of a temporary code sent to your phone or email. This means even a stolen password won’t be enough for a hacker to gain unauthorized access, as they would also need the secondary authentication details, which can be difficult to obtain.
However, while 2FA makes up for the shortcomings of using passwords alone, it isn’t completely foolproof. Like other security measures, hackers can find ways to bypass 2FA in certain circumstances. Let’s take a closer look at how hackers can potentially bypass 2FA so you can protect your business from such attempts.
How can hackers bypass 2FA?
Here are the most common ways hackers attempt to bypass 2FA:
Social engineering
Social engineering — also known as “human hacking” — is a tactic that relies on tricking people to make mistakes like revealing sensitive information. A common social engineering tactic is when hackers impersonate trusted individuals, such as technical support personnel or a boss, to convince users to provide both their login credentials and 2FA codes. Through cunning persuasion and instilling their target with a sense of urgency, a hacker can fool users into handing over access to their accounts, 2FA-enabled or not.
Deceptive phishing emails and fraudulent websites are common tools used in social engineering attacks. These emails and websites often look legitimate, making it harder for users to spot the scam. If a user enters their information on these fake sites or responds to these deceptive emails, hackers can use that information to compromise a user’s 2FA-enabled accounts.
Password reset flaws
Despite the implementation of 2FA, some websites and applications overlook the need for a second authentication factor during the password reset process. This oversight enables attackers to exploit the password reset function, gaining access to an account without needing to provide the additional verification typically required by 2FA. Essentially, attackers can obtain a password reset token and utilize it to access the account, circumventing the intended security measures.
Open authorization (OAuth) consent phishing
OAuth is an authentication protocol that allows users to log in to various applications and online services via authorization tokens. These tokens are granted when users give consent to access their accounts to an OAuth-enabled app, such as Google or Facebook.
However, OAuth can also be used by attackers to gain access to accounts through consent phishing. In an OAuth consent phishing attack, hackers create fake pages that resemble legitimate OAuth consent screens for popular services such as Google, Microsoft, or Twitter. When users give their consent on these fraudulent screens, they unknowingly provide login credentials and approve permissions, thinking they’re granting access to a trusted application. With the login credentials and consent approval, attackers have unfettered access to the 2FA-enabled account.
Man-in-the-middle (MitM) attacks
MitM attacks involve hackers positioning themselves between a user and the service they’re trying to access, which is typically an unsecured or poorly secured public Wi-Fi network. From this position, hackers can intercept and modify data being transmitted between the user and the service, including any 2FA codes.
SIM swapping
SIM swapping simply means transferring a phone number from one SIM card to another. Hackers use this technique to intercept incoming messages containing 2FA codes. This works by tricking the victim’s mobile service provider into assigning the hacker’s SIM card as the primary one for that phone number, effectively hijacking it. With access to the victim’s phone number, hackers can easily receive and use any one-time SMS codes sent to that number, bypassing the security measure altogether.
2FA best practices
Even though 2FA has vulnerabilities, it’s still a crucial security measure that businesses should implement. It’s how businesses implement and manage 2FA that can prevent bypass attempts. To maximize the effectiveness of 2FA while keeping it secure, businesses should adopt the following best practices:
Use authenticator apps
Most 2FA methods involve sending temporary codes via SMS or emails, but these can be easily intercepted by hackers through account takeover, SIM swapping, and/or MitM attacks.
To avoid these vulnerabilities, businesses should use authenticator apps like Google Authenticator or Microsoft Authenticator. These apps generate time-based codes that are only accessible on a mobile device on the user’s person, making it significantly more difficult for hackers to intercept.
What’s more, authenticator apps eliminate the need for a network connection, allowing users to generate codes even when they’re offline. This means there’s no risk of a compromised network or connection that enables hackers to intercept sensitive information.
Utilize physical security keys
Physical security keys are small devices that connect to a computer or mobile device via USB, Bluetooth, or near field communication (NFC). These keys generate one-time passcodes to authenticate login attempts to company systems and services. Physical security keys are a safe form of 2FA because they cannot be intercepted or hacked remotely. As long as the user doesn’t lose their physical security key, there’s no risk of unauthorized access through 2FA bypassing.
Switch to biometric authentication if possible
Biometrics, such as fingerprints and facial profiles, are unique identifiers that can be used as a secondary authentication factor instead of temporary passcodes. Unlike passwords and one-time codes, biometric data cannot be guessed or easily replicated, making it a more secure form of 2FA. Additionally, biometric authentication is often faster and easier for users than entering codes or remembering passwords.
Implement risk-based authentication
Risk-based authentication is a process where the level of authentication required is determined by the perceived risk of the login attempt. It analyzes various risk factors, such as the location of the login attempt, device used, and user behavior.
If a login attempt is deemed risky, additional authentication measures, such as 2FA or challenge questions, can be triggered to verify the user’s identity. For instance, if a user tries to log in to company systems outside of regular business hours, they may be prompted to enter a one-time code to verify their identity. Some authentication policies may even block login attempts outright if the conditions are considered too high-risk, such as a login attempt from an unregistered device.
Educate employees on good security habits
Passwords and 2FA codes are only as secure as the users who create and manage them. That means employees must be more proactive at preventing 2FA bypass and unauthorized access attempts. Businesses must therefore regularly train employees to develop good security habits. By the end of the training, employees should be familiar with security risks and understand how to safeguard sensitive data.
Good security habits to promote include setting long and unique passwords, never sharing 2FA codes with anyone, avoiding public Wi-Fi networks, and being aware of social engineering tactics used in phishing attacks. Having a solid security foundation among employees can mean the difference between a successful 2FA implementation and a breach caused by human error.
If your business is currently using 2FA but is unaware of the risk, we urge you to reassess your current setup and employ stronger security measures right away. Of course, the security experts at Dynamic Solutions Group can also help you fortify your systems against unauthorized access. Call us now to enhance your company’s security posture.