Skip to content

5 ways attackers bypass Two-factor Authentication (2FA)

The need to keep information safe has made people more aware of the importance of securing their accounts. Passwords by themselves are no longer sufficient for this purpose. Users often pick easy to guess passwords and worst still, reuse these passwords over multiple accounts. To further complicate the situation, password breaches allow malicious actors to easily obtain login information—including passwords.

The easiest way to improve the minimal security provided by a password or passphrase is by enabling two-factor authentication (2FA) on your accounts. This is an extra layer of protection that combines something you have (your device) with something you know (the password), making it more difficult for your account to be compromised. However, like any other security mechanism, there are no silver bullets. In this blog post we’ll be covering 5 ways attackers typically bypass 2FA.

1. Bypassing 2FA using Realtime Phishing

Realtime phishing is arguably the neatest way attackers succeed in bypassing two-factor authentication. It is a realtime man in the middle (MitM) attack in which the phishing website’s appearance is exactly identical to the real one making it much easier for the victim to be fooled.

Rather than cloning the real website which results in an inconsistent look (e.g. typos, outdated) and feel (e.g. a broken login page), the website’s endpoint is dynamically mimicked by a realtime phishing proxy standing between the victim and the real website capturing all communications. Since the victim is sending requests to the phishing proxy in realtime, any 2FA codes entered by the victim would be stolen by the attacker and then seamlessly forwarded on to the real website.. Once the victim has completed the sign-in process, the attacker may then take hold of the session cookie created after the authentication process. This session cookie is what allows the browser to re-identify itself to the website’s server and hence the attacker uses it to impersonate the user and gain access.

“Realtime phishing diagram”

The video below demonstrates Phinn, PhishDeck’s realtime phishing simulation proxy which shows exactly how 2FA can be bypassed using the realtime phishing technique.

2. Bypassing 2FA using social engineering

Social engineering is a non technical attack where the attacker plays on the victim’s emotions to get the information they’re after. The latest Verizon DBIR report words this succinctly and neatly.

"Psychological compromise of a person, which alters their behavior into taking an action or breaching confidentiality.”

Social engineering attacks seeking to obtain Two Factor Authentication (2FA) codes may take a number of forms, however, the following two methods are the most common.

The attacker may have already obtained the victim’s username and password through some other manner, meaning that the 2FA code is what’s left to be acquired. The attacker would then call or send a message to the victim with a compelling narrative that the victim is likely to believe, urging them to hand over the 2FA code.

“Social engineering message

Alternatively, by knowing some basic information about the victim such as name, address and email, the attacker may try calling a customer support line pretending to have been locked out of the account. They would then use this excuse to ask for access or the ability to reset password. The attacker may also pretend to be having issues with their authenticator app. If the attacker plays their part well enough and the customer service person is convinced, the attacker successfully bypasses these security controls.

The following interview with Rachel Tobac offers a window into how effective social engineering can be.

3. Bypassing 2FA using SIM-jacking

SIM-jacking refers to when an attacker takes control of someone’s phone number by tricking a mobile phone carrier into transferring it to their phone. In this way, the attacker has control of the phone number and may use it to intercept a one-time password sent via SMS. The attacker may choose to go down the phishing route instead of social engineering, tricking the victim to install malware that will collect the necessary information on the SIM card as illustrated by the diagram below.

“SIM-jacking diagram”

OAuth is a framework that enables applications to have limited access to a user’s data without giving away the user’s password. For example, when you give an application permission to post on your Facebook account, you would be delegating some degree of access to your account using OAuth without actually handing over your password.

Therefore, any website that allows a user to delegate access via OAuth may be used by an attacker as part of an OAuth phishing campaign. This is why OAuth phishing is sometimes referred to as consent phishing—an attacker messages their victim in an attempt to get them to grant access by pretending to be a legitimate OAuth app, typically masquerading as a reputable OAuth app using the reputable app’s name and logo in the consent screen.

If the victim grants access, the attacker is able to do what they like based on the OAuth scopes they requested access to. Using this method, not only does the attacker need no credentials, but they also bypass any 2FA in place.

5. Bypassing 2FA through flawed logic and brute force

Like other website security flaws, two-factor authentication (2FA) is no exception. Sometimes, 2FA implementations are flawed to the point that it is the website itself that allows the 2FA bypass.

In some cases, the user is first prompted to enter a password and the verification code is requested on a separate page in such a way where due to an implementation flaw, the user is effectively considered logged in before they have entered the verification code.

Another common two-factor authentication (2FA) bypass is exploiting the situation where-in a website does not check to ensure that the user who logged in is the same one inputting the verification code. This enables an attacker to log in using their own account and then misdirect the application into logging into another user’s account when submitting the verification code.

Finally, brute force is sometimes an option available to an attacker since cracking a One Time Password (OTP) is usually within the realm of possibility given that they are normally only between 4 to 6 digits long (longer OTP codes would increase the cracking difficulty since there are more permutations to compute). The catch for the attacker is that OTPs are only valid for a short period of time (usually a few seconds and up to a few minutes in the case of SMS-based 2FA) meaning that there are a limited number of codes that can be attempted before it changes. Websites implementing 2FA correctly usually prevent this attack by only allowing a handful of incorrect OTP codes per user.

Avoiding 2FA attacks

After learning about the two-factor authentication bypass techniques outlined above, you must be wondering how to stay safe against such attacks. While some attacks are unfortunately outside of your control, there certainly is a lot you can do to improve your 2FA security posture. The following tips should help you achieve just that.

  • Ensure that 2FA is enforced on your accounts. If you can choose to skip 2FA, then it’s like you don’t have it at all;
  • Avoid codes sent by SMS and use authenticator apps like Google Authenticator, or Authy instead or even better, leveraging WebAuthN (if the service you are using supports it);
  • Like all other forms of phishing, beware where you are entering your password. Make sure the domain name in the address bar is what you expect it to be, even if the page looks identical;
  • Avoid password reuse and use strong passwords to prevent attackers getting to the 2FA stage in the first place.

While this article may seem overwhelming, 2FA is still your best bet to remain as safe as possible. By knowing how an attacker may get around the various 2FA methods, you should now be better able to train yourself and your employees to adapt secure practices when protecting your accounts.