6 Ways Hackers Bypass 2-Factor Authentication

    One of the best things to happen to internet users across the world is the invention of 2FA. The good news is it provides you with an additional layer of security that can be relied upon to an extent. The bad news is hackers are tirelessly devising new methods to breach two-factor authentication.

    So as a user, what is your fate in this cybersecurity dilemma? Are your online accounts still safe from a breach? How should you handle a two-factor authentication bypass?

    Relax, this article is aimed at addressing these concerns. But first, you need to understand how two-factor authentication works then methods employed to bypass two-factor authentication.

    How Does two-Factor Authentication work?

    To understand how hackers bypass it, you need to have a grasp of how two-factor authentication works. A 2FA, works simpler than it sounds.

    Ever tried logging into a site and you’re asked to provide your username/password and then your number or email for verification?

    This process may leave you a little bit exasperated, but this technology benefits the overall protection of your accounts. In the process of verifying your identity, two-factor authentication may require a one-time passcode sent to your phone, email, or authenticator application. If you’re able to provide these details, you’re granted access to your account.

    So what is the logic in this? Well, you simply can’t fake being Mr. Brown when you don’t have the login details of Mr. Brown.

    Bank apps, workspaces, and sites like Facebook, Amazon Web Services, GitHub, and Microsoft use two-factor authentication to keep out unauthorized users. 

    This firewall (figuratively), is gradually eroding as hackers have found ways to extract your login details and impersonate you. While cybersecurity experts are working to figure out more secure options, two-factor authentication remains relevant. Understanding your role as a user will even go a long way in keeping it relevant for a much longer time. 

    How Can Two-Factor Authentication be Bypassed?

    There are several ways hackers bypass two-factor authentication. Some of them are fairly basic, while others may require more sophisticated means. Find out below:

    #1: Phishing

    It is possible for a cybercriminal to phish authentication codes like the normal way of phishing passwords. In this breach method, the cybercriminal sends a user a phishing text message. These phishing text messages often copy Google SMS alert style, alerting you of someone’s intention to sign in to your account. 

    See also  Is WordPress Secure Enough for eCommerce Sites

    This is usually followed by the user receiving an email posing as a Gmail login attempt alert. This email that contains the user’s details, instructs the user to change their password. This is again followed by another phishing page requesting the authentication code. 

    The phishing pages are usually under strict monitoring by the attacker. Once the password is changed, the attacker logs into the user’s account with the new password. This initiates a real Google text notification to the user, which contains the authentication code.

    The user enters the second code, which usually has a 20-60 seconds lifespan. This is just enough for the attacker to change the login credentials of the user and take over the account. An attacker can also intercept an SMS 2FA code in transit using a SIM swapping attack by impersonating your devices ID.

    #2: Social engineering

    Social engineering attacks work by tricking users into logging in to fake, lookalike sites with their real login credentials. To initiate this, the attacker gets the user to click on a website that is a 2FA clone. This usually lands the user on a phishing site where they’re prompted to enter their username and password. 

    The login attempt fails, so the user then has to provide their authentication code. This supplies the cybercriminal with the information they need to gain control of the account.

    #3: Brute force

    In this method, the attacker strings together random codes until he guesses the correct sequence right. Four-digit codes are easier to guess, while six-digit codes or longer are more difficult.

    This suggests longer digits are setbacks to this kind of attack. The attacker would only have short window of time to brute-force the codes, usually it’s 30-60 seconds depending on the authentication app. 

    #4: OAuth

    Sites like Amazon, Google, Facebook, and so on use open authorization (OAuth). OAuth allows users to access their accounts through a third-party account. This means you’d have an alternative option to access a platform with your Facebook or Gmail account. 

    See also  How do I choose a VPN?

    In OAuth, the site the user is attempting to sign into requests a token from the third-party site. The third-party site verifies the user account and sends a callback code. The site then grants access to the user. You may ask, how can OAuth be bypassed by cybercriminals?

    Using OAuth, the cybercriminal does not need to use two-factor authentication. If your Gmail or Facebook username falls into their hands, that’s all they need to gain access. 

    #5 Email Compromise

    An attacker can steal 2FA codes sent to a user’s email address and use it to login to the account that the codes were requested for. You would see this situation when a user sets an account to receive 2FA codes to their email address.

    An attacker can compromise an email address using a variety of techniques like phishing, social engineering, password guessing, and more. It is for this reason that emailed 2FA codes are not a good idea; 2FA applications are a better choice here.

    Attackers can steal session cookies from users using a variety of security tools and techniques. Stealing a session cookie allows an attacker to steal the browsing session from the victim.

    This essentially gives the attacker access to whatever session that vitim is in, whether it be on, or logged in to their Gmail account. Once the attacker has taken over that session, they can basically do any and all administrative tasks just as if they were the user.

    From there, the attacker can disable 2FA from the security settings in the account as well as change the login email & password. At this point the attacker has bypassed 2FA.

    How Can I Protect Myself from Sim Swap Attacks?

    Many secure websites and social media now use phone numbers as a second means of authentication to verify real users. This is quite straightforward as almost everyone has a mobile phone number. This serves to prevent cybercriminals from accessing our sensitive accounts. 

    See also  Is Virtualization Secure? Everything You Need to Know

    Since some two-factor authentication requires your phone number, you may ask, what alternatives are there to SMS-based two-factor authentication? Luckily, there is an alternative to SMS-based two-factor authentication; app-based authentication. It is simply the easiest way to protect yourself from sim swap attacks.

    While having 2FA enabled is ultimately better than not, many services offer two types of two-factor authentication. SMS-based two-factor authentication as highlighted already leaves you vulnerable to sim swaps. However, this is the most widely used option. The less common one is app-based authentication.

    You may wonder what makes application-based two-factor authentication more secure than SMS-based type. It’s simple. Rather than receiving confirmation text messages, your authentication code is generated by an authentication app. The most common app-based authenticator is Google authenticator with both android and iOS versions. The simple steps for this are:

    1. Download and install an authenticator app
    2. Choose app-based authentication when configuring your 2FA settings 
    3. Scan the PR code provided and you’re good to go

    apps are not susceptible to sim swapping because the details in your device cannot be transferred to another device. It doesn’t stop here. Another question could be, what if my bank doesn’t support app-based authentication? Doesn’t this leave me vulnerable to sim-based 2FA attacks?

    Well, the answer to that is yes, it does. But there’s a way around this. Anonymous mobile numbers can do the trick. An attacker can’t perform a sim swap if they don’t know any phone number to use.

    Luckily, secure services don’t reveal your phone numbers to cybercriminals.  They only gain access when you share it publicly on social media or other public platforms. This way you’re sure to stay hidden from sim swapping attacks. 


    With the knowledge that two-factor authentication can be bypassed, it opens new ways we can try to counteract attacks like this.  SMS-based authentication even though not the best authentication method due to its sim swapping loophole can still be circumvented. Just follow the steps illustrated in this post to set up an app-based one.

    SecurityWizard holds a bachelor’s degree in cyber security and networks from University of Maryland Global Campus, multiple security certifications, and works as a threat hunter, incident handler, and penetration tester. SecurityWizard is studying for advanced certifications focused on offensive cyber operations through SANS Technology Institute. He also enjoys learning about cyber attacker methods, tools, and processes. SecurityWizard is also extremely passionate about security and wants everyone to learn how to protect their data, maintain their privacy, and use safe security methods. He loves this subject and hopes you can learn something!

    Latest articles

    Related articles