Attacker can Bypass Two-Factore Authentication
You may think that when you've got implemented two-factor authentication (2FA), all of your employees are safe.While 2FA is one in all the most effective ways to feature a further layer of security on top of user credentials, it can still be bypassed. we'll show you ways easy it may be to bypass it.Just last Fall, the FBI warned the final public about the rising threat against organizations and their employees and the way common social engineering techniques are wont to bypass 2FA.
What is two-factor authentication?
Two-factor authentication is employed on top of the user’s password when logging into an account as a second style of authentication. The second layer of authentication will be a code provided through a text message, authenticator applications, or it may be made of a fingerprint or face recognition.Two-factor authentication may be a subset of multi-factor authentication. within the case of multi-factor authentication, the user is required to spot himself/herself in additional than two alternative ways.
How does two-factor authentication work?
Two-factor authentication always requires a second type of identification. after you try and log in to an account, first, you want to enter your username and password.When the two-factor authentication is enabled, you may must provide a second sort of proof that you just are the owner of the account before you'll access it.
Why do you need two-factor authentication?
Two-factor authentication is a new layer of security. whether or not you mistakenly gave away your password, hackers would wish to induce access to the second style of identification before they may enter your account.It’s strongly recommended that you just activate two-factor authentication for any essential account if possible. It’s an additional layer of security that keeps you always secure.Unless, of course, you fall victim to social engineering, and you make known the two-factor authentication code yourself.If you're searching for an authenticator application, here are some smartphone apps you'll be able to consider
- Google Authenticator
- Microsoft Authenticator
- Salesforce Authenticator
- SecureAuth
- Duo Security
- Symantec VIP
- Transakt
- LastPass Authenticator
How hackers are using social engineering techniques to bypass two-factor authentication
While organizations consider two-factor authentication a secure way of identification for access, there are fairly simple techniques for bypassing 2FA.In most of the cases, we assume that the attackers have already got the user’s password.
1. Bypassing 2FA with conventional session management
In this case, attackers use the password reset function because, often, 2FA is not implemented on the system’s login page after a password reset.How does it work in practice?
- The attacker clicks on the ‘change password’ link.
- The attacker requests the password reset token.
- The attacker uses the password reset token.
- The attacker logs into the web application.
Using this method, attackers can bypass the two-factor authentication in certain platforms where the architecture of the site or platform makes it possible.
2. Bypassing 2FA using OAuth
OAuth integration allows users to log into their account using a third-party account. This means that you would have an alternative option to sign into a platform with your Facebook or Gmail accounts.How does OAuth work?
The site requests an authentication token from the third-party site (e.g., Facebook).
Facebook (or another third-party site) verifies the user account.
Facebook (or another third-party site) sends a callback code.
The site logs the user in.
Here, the attackers don’t even need to use 2FA if they, for example, have the user’s Facebook or Gmail username and password.
3. Bypassing 2FA using brute force
When the length of the two-factor authentication code is four to six characters (often just numbers), it makes it possible for attackers to bypass 2FA by using brute-force against the account.
4. Bypassing 2FA using earlier-generated tokens
Some platforms offer the possibility for users to generate tokens in advance, such as a document with a certain number of codes, to be used later for bypassing 2FA.If an attacker gets access to the document, they can easily use it to bypass 2FA, assuming that they also have the password of the user.
5. Bypassing 2FA using social engineering
Case 1
In this case, too, we assume that the attacker has a hold of the user’s username and password.To attain the 2FA code, the attackers could send an email to you with a made-up excuse to request the verification code that was sent to your number. Once you send them the code, the attacker will be able to bypass the 2FA.
Case 2
Even when the attackers don’t have your username and password, they could bypass 2FA by getting you to click on a link and go to a phishing website that mimics a real website, such as LinkedIn. The email would look like it comes from the service provider itself.When you provide your login credentials on the fake page, the hacker can use it to sign in on the real website. At that point, you receive a code, and once you enter it on the fake website, the hacker gets the code as well. They can then successfully breach your account.
Stay safe when using 2FA
Despite the flaws that we outlined above, two-factor authentication is still a great way to secure your accounts.Here are a couple of tips on how to stay safe while using two-factor authentication:
Use authenticator apps like Google or Microsoft Authenticator whenever possible instead of text message codes.
- Never share security codes with anyone.
- If possible, use codes with characters of more than 4 to 6.
- If you are unsure about your security, double-check with someone else about what you should do.
- Use difficult passwords – use a password generator and a password manager.
- Never reuse passwords.
- Consider using a security key as an alternative form of authentication used in 2FA.
- Care about your security and understand common social engineering tactics. Provide your employees with knowledge, skills, and tools so they would know what they are facing.