1. What is Two-Factor Authentication and 2. How hackers are using social engineering techniques to bypass two-factor authentication
Dr. Ir. Henk Jan Jansen
Security Tech Enthusiast | Bridging the Gap Between Ideas, Execution & Innovating for a Better Tomorrow
1. What is Two-Factor Authentication
Two-factor authentication, often known as two-step verification, is a security feature that protects your online accounts by adding an extra layer of security.
Instead of using just one factor to verify your identity, such as a password, you use two: your password and a One-Time-Password (OTP)?delivered to you through SMS or email.
Let’s look at an example to help you understand. What are the requirements for logging into your email account?
This is known as Single Step Verification. All we have to do is type in the credentials and log in. But do you realize how dangerous this process might be? Anyone can get their hands on your email address. Hackers can indeed access your account if your password isn’t strong enough! (If it’s “123456,” you’re in significant danger!)
As a result, 2FA was created. Even if someone has your email and password, they will not be able to access your accounts. 2FA adds a second layer of security by requiring you to submit a set of credentials that only you, the legitimate user, have access to. Unauthorised individuals will be unable to access your sensitive data as a result of this.
Many famous websites and services now enable two-factor authentication to ensure secure logins.
How Does 2FA Work?
Different 2FA methods employ other processes, but they all share a standard workflow.
A 2FA transaction usually goes like this:
While multi-factor authentication’s underlying processes are primarily the same across providers, there are many various ways to implement it, and not all approaches are made equal. Let’s look at the different types of 2FA.
Types of Two-Factor Authentications
Let’s have a peek at look popular websites and applications are implementing 2FA these days.
Different companies and services are using the above types of authentications to provide an extra layer of security to their customers and users.
Authenticator Apps
Authenticator apps may be the finest security choice for securing our login procedure. However, keep in mind that not all authenticator applications are capable of providing the most secure service. Only a few apps have been officially recognized for this service, and we have compiled a list of them for you. If you wish to learn more about these apps and use them, look up the specifics for each one below.
Different way for 2FA authentication let me address some of them here:
YubiKey
Call it the odd one out, but?YubiKey?by Yubico is the gold standard for two-factor authentication.
This is a physical key providing the ultimate security. Still, you can also use it with the?YubiKey?authenticator application if a specific platform doesn’t support hardware authentication.
Yubico has many products, and explaining each is out of this list’s scope. Ergo, we will focus on their 5 series, the latest, as of this writing.
These IP68-rated keys require no batteries to operate and are solidly built to last long.
The setup is easy, and the key works flawlessly with popular applications like Gmail and Facebook. These keys support protocols like FIDO2, U2F, OTP, Smart Card, etc.
YubiKey comes in various sizes and shapes and suits most modern devices.
While the standard versions are super secure, they also come as FIPS-certified models, which you can get by paying a fraction more.
Lastpass
LastPass?Authenticator is not a part of the popular?password manager. Instead, it’s a standalone authenticator app that works on both Android and iOS devices. This software offers the most secure two-factor authentication available. You may also use this program to secure an unlimited number of accounts.
Google Authenticator
The most popular two-factor authentication program is?Google Authenticator. This is an app to be installed on your mobile phone, and it gives you a real-time authentication code that changes every 30 seconds. Google suggests it for all of your Google accounts. It can, however, be used for a variety of other websites.?Wear OS?support, a dark theme, and offline support are among the additional features.
Google Authenticator includes several features like:
It’s completely free, clean, functional, and has a large user base. You will ultimately be able to add numerous accounts to this app.
Microsoft Authenticator
Microsoft Authenticator, a reliable authenticator tool built by Microsoft Corporation, can provide the most excellent 2FA security. It is the most suitable option, as it gives both safety and convenience. Microsoft Authenticator ensures tight security by verifying the validity of your device and network, as well as delivering TOTPs.
Furthermore, the app’s beautiful and well-designed user interface makes it easier to use.
Authy by Twilio
One of the more reliable two-factor authentication programs is?Authy. It functions in the same way that Google and Microsoft’s versions do. You obtain codes from it, which you use to verify your login. It performs very well. The software includes offline support, device syncing, and compatibility for the most prominent websites and account types.
If you don’t want to utilize Google or Microsoft’s apps, this is a decent alternative. Authy is effective at what it does and has some exciting and extremely useful features.
2FA Authenticator
2FA Authenticator?(2FAS) is an excellent option if you want elegant authentication software. For six-digit TOTP authentication, this is a great application. This app offers features such as?QR-code-based?authentication and others that make logging in easier and more secure. It allows you to altogether avoid the problem of an unintentional wrong input and saves time. Furthermore, this robust authenticator tool is compatible with over 500 social and other websites.
Its simplicity limits modification to some extent, but it still performs admirably.
领英推荐
Duo Mobile
The most powerful authentication apps for Android devices have been given to us by Duo Security LLC.?Duo Mobile?is designed to keep your login safe and secure. It comes with a two-factor authentication service that you may use with any app or website. This program will also notify you when it is being used. Once you’ve checked the message, you can be assured that your next login will be safe.
You’ll be able to utilize this app to handle practically all aspects of 2FA authentication.
Aegis Authenticator
Aegis?isn’t the most well-known 2-factor authentication app, but it is a decent one. It has a lot of overlap with?and OTP, but it adds a few other functions on top of that. For example, you can lock the app and only allow access after entering a PIN, password, or fingerprint. It’s remarkable to have that extra degree of security. The program supports both HOTP and TOTP authentication methods, and it works with most websites.
DO NOT delete or remove any social media account from the 2FA app directly. You may be locked out for the rest of your life.
To deactivate two-step verification, first, go to that service’s security or?privacy?settings and then disable it from there. After that, you can either remove that account from these two-factor authentication apps or uninstall them entirely.
Two-step verification is required to keep your accounts, conversations, files, and data safe. Even if your username and password are stolen or hacked, 2FA will protect your account as long as the attacker does not have physical access to your phone. This takes less than two minutes to set up and adds security. It is something I utilize on all of my accounts.
2. How hackers are using social engineering techniques to bypass two-factor authentication
While organizations consider two-factor authentication a secure way of identification for access, there are fairly simple techniques for bypassing 2FA.In most of the cases, we assume that the attackers already have the user’s password.
1. Bypassing 2FA with conventional session management
In this case, attackers use the password reset function because, often, 2FA is not implemented on the system’s login page after a password reset.How does it work in practice?
Using this method, attackers can bypass the two-factor authentication in certain platforms where the architecture of the site or platform makes it possible.
2. Bypassing 2FA using Open Authorization (Oauth)
OAuth is a framework that provides applications with limited access to a user’s data without giving away the password. For example, you can give an application permission to post on your Facebook account. In doing so, you are delegating a degree of access to your account using OAuth, but you aren’t providing your password to Facebook.
In this case, any website that allows you to delegate access via OAuth can also be used by an attacker as part of an OAuth phishing campaign or consent phishing. With consent phishing, the attacker pretends to be a legitimate Oath app and messages the victim, asking them to grant access. If the victim grants access, the attacker can do as they please within the scope of access they requested. Consent phishing allows the attacker to disregard credentials and bypass any 2FA that may be in place. OAuth integration allows users to log into their account using a third-party account. This means that you would have an alternative option to sign into a platform with your Facebook or Gmail accounts.How does OAuth work?
Here, the attackers don’t even need to use 2FA if they, for example, have the user’s Facebook or Gmail username and password.
3. Bypassing 2FA using brute force
When the length of the two-factor authentication code is four to six characters (often just numbers), it makes it possible for attackers to bypass 2FA by using brute-force against the account. Attackers sometimes opt for a brute force approach depending on the age of the equipment being used by the target. For example, some legacy keyfobs are only four digits long and thus easier to crack (longer OTP codes increase the difficulty because there are more permutations to decipher).
The obstacle for hackers is that OTPs are only valid for a short time, usually just a few seconds to minutes. So, there are a limited number of codes to try before it changes. When 2FA is implemented correctly, the 2FA authentication server prevents this type of attack by only allowing a small number of incorrect OTP codes per user.
4. Bypassing 2FA using earlier-generated tokens
Some platforms offer the possibility for users to generate tokens in advance, such as a document with a certain number of codes, to be used later for bypassing 2FA.If an attacker gets access to the document, they can easily use it to bypass 2FA, assuming that they also have the password of the user.
5. Bypassing 2FA with Session Cookie or Man-in-the-middle
Cookie stealing, otherwise known as session hijacking, is stealing the user’s session cookie. When users log into a site, they do not need their password every time.
A cookie contains the user’s information, keeps the user authenticated, and tracks their session activity. The session cookie stays in the browser until the user logs out, and closing the window doesn’t log the user out.
So, an attacker can use the cookie to his advantage. Once the hacker acquires the session cookie, he can bypass the two-factor authentication. Attackers know many hijacking methods, like session sniffing, session fixation, cross-site scripting, and malware attacks.?
Also, Evilginx is a popular framework that hackers use for man-in-the-middle attacks. With Evilginx, the attacker sends a phishing link to the user, which takes the user to a proxy login page. When the user logs into his account using 2FA, Evilginx captures his login credentials and the authentication code.
Because the OTP expires after using it and is only valid for a short time, there’s no need to capture the authentication code. Instead, the hacker has the user’s session cookies, which he uses to log in and bypass the two-factor authentication.
6. Bypassing 2FA with SIM-Jacking
SIM-jacking occurs when an attacker takes control of someone’s phone number by tricking a mobile phone carrier into transferring the number to their phone.
Control over the phone number means the hacker can intercept the OTP sent via SMS. The attacker accomplishes this by phishing or social engineering. Either way, they trick the victim into installing malware that collects the needed information on the SIM card.
7. Bypassing 2FA using social engineering
In this case, too, we assume that the attacker has a hold of the user’s username and password.To attain the 2FA code, the attackers could send an email to you with a made-up excuse to request the verification code that was sent to your number. Once you send them the code, the attacker will be able to bypass the 2FA.
Even when the attackers don’t have your username and password, they could bypass 2FA by getting you to click on a link and go to a phishing website that mimics a real website, such as LinkedIn. The email would look like it comes from the service provider itself.When you provide your login credentials on the fake page, the hacker can use it to sign in on the real website. At that point, you receive a code, and once you enter it on the fake website, the hacker gets the code as well. They can then successfully breach your account.?
Despite the flaws that we outlined above, two-factor authentication is still a great way to secure your accounts.Here are a couple of tips on how to stay safe while using two-factor authentication:
So while multi-factor authentication is a deterrent most of the time, these attacks show that it isn't infallible.
Even though security features such as multi-factor authentication (MFA) add an extra layer of security, they should not be considered as a silver bullet to protect against phishing attacks. With the use of advanced phishing kits (AiTM) and clever evasion techniques, threat actors can bypass both traditional as well as advanced security solutions.
And there are other scenarios which can be exploited to bypass multi-factor authentication too, because in many instances, a code is required, and a person needs to enter that code. And people can be tricked or manipulated even while the technology tries to protect us.
At the end of the day, whether it's a number or it's a piece of information, as soon as the user sees it, it becomes something they know and if it's something that they know it's something the attacker can steal.
It takes a little more effort from the attacker, but it's possible to grab these codes. For example, SMS verification is still a common method of MFA for many, particularly for things like bank accounts and phone contracts. In some cases, the user is required to read out a code over the phone or input it into a service.
It's a potentially complex process, but it's possible for cyber criminals to spoof helplines and other services which ask for codes to devices – especially if people think they're talking to someone who is trying to help them. It's why many services will preface an SMS code with a warning that they'll never call you to ask for it.
It's not that surprising attackers prey on the human aspect, the people components of the system. People being busy, people being stressed, all sorts of things influence decisions we make.
Conclusion
Despite the vulnerabilities, 2FA remains one of the best ways to protect accounts. To ensure that your 2FA parameters are fully optimised, be sure to apply the best practices listed above.
Apps like Google and Microsoft authenticator are widely available to support your security efforts, and your security administrator should have tools and procedures in place as well.
From anti-malware, anti-phishing, 2FA, and SASE to cloud-based air-gap immutable backup storage.