Two-factor authentication and how to bypass it

Two-factor authentication and how to bypass it

Two-factor authentication (2FA) — one of the most popular ways to protect accounts on the Internet today. It is widely used to work with corporate networks and personal accounts around the world. In simple terms, this authentication method involves sending a special unique code to the phone or e-mail, which the user will need to enter after he indicates the login and password for his account. But today there are other forms of 2FA that have a number of specific differences from the basic version.

In practice, two-factor authentication is designed to provide a sufficiently high additional level of protection for personal pages from any unauthorized access, including hackers. But, as reality shows, having a fairly deep knowledge in this area and a serious desire, attackers can still find a way around it.

Now let's dwell in more detail on what two-factor authentication is, what varieties of it exist today. Here are 6 ways that attackers can use to bypass 2FA. We will also dwell on the main points that will increase the security level of two-factor authentication. By knowing how attackers can act, you can avoid their tricks and provide your accounts with a fairly high level of protection, including from hacking actions such as brute accounts.

Introducing Two-Factor Authentication

2FA — this is already the second level of authentication, designed to complement the classic username and password combinations that users use when logging into their account. If necessary, two-factor authentication can be configured to any method of verifying account ownership. Here you need to focus on your own preferences of users, as well as the features of a particular system. In the event that your personal page requires the highest possible level of protection, experts recommend using 2FA — multi-factor authentication. It contains several levels of verification. As an example, a password can be used in combination with a physical token and biometrics. Yes, this method of protection will be more reliable compared to the classic 2FA, but it is more difficult to implement and time consuming, which is not always convenient for performing normal user actions on the network.

Main types of two-factor authentication

We have already said that today there is far from one variant of 2FA. A number of applications and services provide the user with the opportunity to choose the type of verification that is best for themselves in addition to the login and password. Along with them, there are those that prohibit such actions.

Possible options for two-factor authentication:

  1. 2FA by SMS message. This identification method requires the user to provide their phone number during the initial profile setup. In the future, each time you log in to the system, you will need to enter a one-time confirmation code (One-Time Password, OTP). For the most part, it involves a set of numbers that come in the form of a text message to your phone. This method is quite simple and convenient to use, since today almost every person has smartphones. In addition, it does not require the introduction of any additional parameters, installation of special applications. But, if the connection is lost or there are problems with the phone itself, you will not be able to log into your account.
  2. 2FA via voice call. It is assumed that when you enter an application, you will be prompted to accept the call and follow the instructions given in it. Often it is supposed to enter a particular number from the keyboard. In this case, you do not need to enter either a login or a password. It will be enough just to confirm your request by phone. In some cases, it may be necessary to enter the code voiced by the robot over the phone into the appropriate form on the site.
  3. 2FA via email. The essence of this technology is identical to two-factor authentication via SMS. The only difference is that a one-time confirmation code will be sent to you not by phone, but by e-mail. In some cases, instead of entering some kind of code, you may be asked to go to your account using the appropriate link. This authentication method requires access to the Internet. Another problem that is possible in this variant — identification by the system of such an e-mail as spam. This means that logging into your account may take longer. You also need to understand that if attackers have access to your email, they can easily bypass this authentication.
  4. 2FA through dedicated TOTP applications. This authentication method involves the use of a Time-based One-time Password Algorithm (TOTP for short). It involves the installation of special software on the user's smartphone. Alternatively, Microsoft Authenticator, Yandex Key, Google Authenticator can be used etc. If you decide to log into your account from some new device, then you will need to open the application on your smartphone and verify your identity through it. In this case, the program generates a one-time temporary code, often in the form of 6-8 digits. It will be updated every half minute. If you do not invest within this period, the request will need to be repeated. After you enter this code on the site in the appropriate form, you will get access to your account. This method of two-factor authentication is convenient and easy to install, use, and is more reliable than 2FA and via SMS. In the event that you do not use the same password for all occasions, then in combination with the additional use of the TOTP authenticator, it will be extremely difficult for attackers to crack it.
  5. 2FA through a hardware key. In practice, it is used to authorize a physical device, including USB flash drives, TOTP key fobs, NFC cards. Here, the code will be generated on average every 30 or 60 seconds. One of the most significant advantages of — no need to connect to the internet. Today, this method of two-factor authentication is considered the simplest, but at the same time reliable and secure. But, one must understand that both the issuance and subsequent maintenance of such keys will require material investments, which in the end can give an additional significant material burden on the business. There is also always a risk of physical loss of the key itself.

TOP 6 ways to bypass two-factor authentication

Despite the variety of two-factor authentication options, each of the above methods still has its own weaknesses that can be used by attackers to bypass 2FA. Here are 6 ways that hackers most often use in practice:

  1. Using social engineering techniques. We are talking about her technical attack, during which, by deception, the attacker forces the victim to provide him with information about the secret code, while having the access login and password in his hands. In some cases, an attacker who has enough information about you can call the support service of the target service on your behalf and report that there are problems with authentication, or that the account is blocked. As a result, he will get one-time access to your account, that is, he will be able to reset existing passwords, change it to his own.
  2. Use open authorization (OAuth). This is a public authorization password that gives the application and services limited access to user data without revealing the password. In this case, an attacker can simply pretend to be a legitimate application and send you a message asking you to grant access on behalf of the resource. If such access is granted, the attacker will be able to do everything that is included in the scope of the requested access, including ignoring credentials, bypassing any authentication.
  3. Using brute force. This is a rather crude method of the so-called exhaustive search. Mainly aimed at weakly protected or outdated hardware. As an example, old-style hardware keys often have only 4 digits in the code. That is, it will not be difficult for the program to quickly enough sort through all possible options, choosing the correct code. The only BUT: they will be very limited in time, since the actual code will be valid for no more than 30-60 seconds. In the case of correctly organized two-factor authentication, it will be impossible to implement such an attack. As soon as an attacker enters several incorrect OTP codes, the system will automatically block him.
  4. Using previously generated tokens. Today, there are a number of platforms that allow users to generate codes in advance. So a similar option is provided in the Google security settings account. You can download a document with a certain number of backup codes, which you will later use to bypass two-factor authentication. Such a solution will be relevant in case you lose your smartphone, to which 2FA was tied. Once this document falls into the hands of an attacker, he will gain full access to your account, even if you took care of his two-factor authentication.
  5. Using session cookies. Attackers often use the practice of stealing cookies. This attack is also called session hijacking. For the most part, when entering the site, users do not need to enter a login and password every time. The fact is that the browser memory already has a special cookie file from your previous session, containing all the information it needs to authenticate. These files will remain in the browser until you manually log out. That is, if this file is in the hands of an attacker, he will be able to gain access to the account. How to implement this idea? There are several options here. So, it can be cross-site scripting, session fixing interceptions, malware attraction, etc. Hackers fell in love with this technology primarily due to the fact that there are no restrictions on the validity period, which is important for certain codes.
  6. Using SIM-jacking. This method of bypassing two-factor authentication by attackers involves gaining full control over your phone number. Most often, such an action of intruders begins with the fact that they collect a number of information about a potential victim. Subsequently, they use it in the salons of a mobile operator to receive a new SIM card on your behalf. Having your real phone number in their possession, an attacker can intercept the code and subsequently gain access to all your accounts.

Improving the security of two-factor authentication

Yes, modern hackers have a lot of tools that allow them to bypass two-factor authentication. But even so, 2FA is still — one of the most reliable ways to protect accounts online. To ensure the most stable and safe work on the Internet, use the following recommendations:

  • Choose authenticator apps to replace SMS access. Applications will be more secure in operation, and the one-time code will not be discovered without having full access to your smartphone.
  • Keep both one-time and backup security codes as secure as possible. So that unauthorized persons do not gain access to them.
  • Choose long security codes with more than 6 characters. Most modern services allow such settings.
  • Refuse to protect your account with simple passwords. A more reliable solution would be to generate passwords in a special program and put them into practice in conjunction with a password manager.
  • It is best to use different passwords to access different accounts. This is especially true for critical accounts.
  • We recommend using physical security keys as an alternative form of authentication.
  • Research the subject of social engineering thoroughly. The knowledge gained will allow you to avoid the fate of the victim.

Now we want to dwell in more detail on one more method of ensuring safe and stable operation on the network. We are talking about the additional use of mobile proxy servers in the work, they will pass through all data streams while replacing real user parameters with their own. This ensures that your real IP-address and geolocation are securely hidden, which means that an attacker will not gain access to your device.

Click on for more details on the features capabilities of mobile proxies from the MobileProxy.Space service and choose the best tariff for yourself. You also have the opportunity to take advantage of a free two-hour testing in order to make sure that they are effective and stable even before purchasing these proxies. In combination with two-factor authentication, mobile proxies will provide you with a fairly high level of secure and stable browsing on the Internet, as well as protecting your accounts from any unauthorized access.

Mobile proxies from the MobileProxy.Space service

Share this article: