Bypassing Common Two-Factor Solutions


Joosua Santasalo

Senior Consultant, Digital Identity

July 20, 2017 at 10:30

Two-factor authentication (2FA) is the security feature everyone knows. Any worthwhile security expert takes the opportunity to remind an organization or individual that they should enable two-factor authentication to their services.

But let's trace back a bit. So what does two-factor authentication actually mean? There are three general types of authentication:

  • Something you know; password, PIN code, gesture pattern or similar.
  • Something you have; a phone, a keycard or a fob (that produces a code in a way or another).
  • Something you are; a biometric feature like fingerprint or voice recognition.


2FA means that you have two out of the three types of authentication and you need to use both of them sequentially for access

There are also different forms of 2FA that are not really two-factor, which everyone should avoid. Example of this would be using email address as the username and the same email address as the destination for the two-factor authentication codes. In case the email address was compromised, the second factor, authentication codes, couldn’t provide any further security.

Currently the most common combination is to use password and a phone, to which you get a one-time code as an SMS. After logging in with username and password you will asked to input this usually short numeric code, which is valid for some period of time - note that this varies, the codes might be valid for minutes or for hours.

Increasingly used replacement for SMS is time-based authentication tokens. They come both in physical form like well-known RSA SecurID and in mobile applications like Google's Authenticator. As even venerable NIST has began deprecating SMS as a secure 2FA method, time-based tokens are gaining popularity because they are arguably more secure than SMS, which is burdened by the widely-known vulnerabilities in SS7 protocol. The risk is not even theoretical any more: hackers compromised activists' Telegram accounts that require the SMS code for authorizing a new device.

Physical authentication method may also be used. In this case, the correct authentication device needs to inserted into the correct computer for it to work. In organizational context, this usually comes in the form of keycards or authentication “fobs”. For the security conscious individuals, physical access tokens based on the relatively new Universal 2nd Factor open standard are widely available. U2F is gaining adoption fast and can already be used as a security measure in a number of services including Google, Facebook, GitHub and many others. Most known product of this kind is probably YubiKey from Yubico.

Bypassing two factor authentication methods

1. Account recovery features (all 2FA methods)

With account recovery features, say a Google or Microsoft account, you can bypass the 2FA entirely. If you can compromise the recovery email or answer the security questions (information for both can usually be found online) you might be able to turn off the 2FA in minutes.

2. Phishing attacks (all one-time token 2FAs)

With the growing number of web services offering 2FA this type of attack is attractive for cybercrime being the most scalable one. Phishing attacks can be automated along with other means like malvertising. Phishing attacks, in this case, have two main attack techniques:

1. Clickjacking; inserting a malicious iframe or similar which directs you to a website that is stealing logins.
2. Phishing emails; emails containing links that seem safe but lead to sites stealing logins.

The best example of this kind of attack is the "LostPass" hack that steals LastPass password manager logins. LostPass has a clever way of stealing the login despite two-factor: from a malicious link, it opens a site that is identical to LastPass login screen, after which a user will happily input both the password… and the one-time code, thus bypassing the security of 2FA. The login information is then relayed to the attacker who uses the information to make the login. You can read the description of LostPass here.

3. Via the telecommunications company (SMS-based 2FAs)

There are also ways to compromise 2FA through the telecommunications company with social engineering. Usually the customer service strongly prefers to keep the customer happy. If you can confidently impersonate the victim and you are armed with victim’s SSN and some similar basic information you can make any changes you want. This includes call & SMS forwarding and ordering a new SIM card.

The other way is the online telecom account management sites, which may be subject attacks mentioned previously under “1. Account recovery measures”. If you can get the login information, you can most likely set an SMS forwarding from the online account management.

2FA is good security, but it's not bulletproof and is even vulnerable for mass compromise for a skilled attacker. Obviously there are more ways to compromise different kinds of 2FA solutions than outlined here. Readers should also note that in most cases if malware gets control of your device it will get control of your accounts also despite the 2FA solutions. There aren't many ways to protect you from these more sophisticated attacks, but using time-based authentication tokens or U2F keys and taking a look at the account recovery details of your services will give you a head start against attackers.

Disclaimer: product mentions in this blog post are not endorsements and are only here to provide examples.

Related blogs