Used since the 1980s in the banking sector, the use of two-factor authentication (2FA) has become widespread in recent years to enhance the security of user accounts and their data. It is not uncommon for this authentication method to be targeted by cybercriminals.
How can it be bypassed? What are the limitations of two-factor authentication? We’ll use concrete examples to discover whether this authentication method can still be considered reliable.
Two-factor authentication: a must for corporate security
The state of corporate security before the emergence of two-factor authentication
Before the popularisation of 2FA, the security of user accounts – and therefore of the data they handled – was often weak. This was because only the user's passwords prevented access to even the most sensitive accounts and data. This vulnerability was all the more obvious given that such passwords were, unfortunately, generally still too simple and reused on a variety of platforms for a mixture of personal and professional purposes.
This was a boon for cybercriminals, who were able to penetrate this level of defence either by using password dictionaries (“brute force” attacks) or through an unsophisticated strategy of simply attempting to guess the password using publicly available data. In the most extreme cases, it was not uncommon to find unencrypted databases containing username/password combinations on forums. This was a goldmine for cybercriminals and “script kiddies”, who could simply try to leverage them against other social network accounts and webmails.
As a result, companies were regularly confronted with numerous security problems, such as compromised user accounts, identity theft and data exfiltration.
2FA: a critically important authentication method for corporate security
According to the Data Breach Report 2022, 82% of compromises are based on social engineering techniques or the exploitation of a human vulnerability. To deal with this scourge, there is now a need to strengthen the authentication stage.
Because a single piece of information (“what I know”) is no longer sufficient, good security practice requires that this factor be coupled with another one (such as “what I am” or “what I have”). In two-factor authentication, a key fob that generates a one-time code is usually used. The “token” system, developed by the RSA company, laid the foundations of modern cybersecurity. Introduced to the market in 1986, this hardware device – which resembles a small calculator – generates a one-time temporary security code. The physical token has since given way to the virtual token.
But although companies are adopting 2FA as a good cybersecurity practice, it has its limitations.
The limitations of two-factor authentication
The development of attack techniques that circumvent two-factor verification
In recent years, cybercriminals have developed sophisticated techniques to circumvent two-factor authentication. As early as 2018, the famous hacker Kevin Mitnick issued a warning on this subject in a video posted on YouTube. One of the most common methods is for cybercriminals to create a malicious website using turnkey phishing kits. They then use a dummy login page to collect users’ credentials, such as the session code or cookie. This is a highly effective method, since the victim is transparently redirected to the legitimate site, without realising the deception. Other more complex techniques are also used, such as sophisticated social engineering to convince a victim to disclose their one-time authentication code, through “deepfaked voice” techniques or the redirection of phone calls to fraudulent numbers.
Cybercriminals can also circumvent double authentication by brute force, trying all possible combinations of security codes in an automated way. In practice, however, such attacks are relatively rare because they are time-consuming and are rendered ineffective by rules for blocking connection attempts. Even rarer but just as effective, “Man-in-the-Middle” attacks use sophisticated techniques to intercept 2FA code by penetrating communications between the user and the application. “Sim swapping” attacks enable hackers to (for example) recover the victim's 2FA confirmation SMS messages by having fraudulently taken advantage of mobile number portability options with the telephone operator. These are alternatives to physically stealing a computer or mobile phone.
Examples of bypassing two-factor authentication
As long ago as 2018, like Kevin Mitnick, Amnesty International was already warning users about the weaknesses of 2FA. Amnesty Tech had been investigating a sophisticated phishing campaign targeting journalists and human rights defenders in the Middle East and North Africa. The cybercriminals had reproduced authentication pages from Google and Yahoo. Once users entered their email addresses, the malicious interface asked them for the 6-digit authentication code that had just been sent to them by text message. Knowing the credentials and the two verification factors, the attackers now had access to their victims’ email accounts.
In the same year, the social network Reddit also suffered a cyberattack that bypassed two-factor verification by intercepting some of its employees’ SMS authentication codes. Although the cyber criminals were unable to modify any data on the platform, they did have read-only access to elements of the source code, log files and backups.
According to Microsoft, a massive spear-phishing campaign is said to have targeted more than 10,000 businesses over the period September 2021 to January 2022. Known as AiTM (Adversary-in-the-Middle) phishing, this method consists of redirecting the victim to a false login page for a service by the American firm and stealing the login cookie. The cybercriminal is then free to send spear-phishing emails from the victim's e-mail account. This is one of the most difficult cases to detect, since the fraudulent email is being sent from the Microsoft infrastructure itself, thus benefiting from the reputation of Microsoft IPs and the default domain configuration (SPF / DKIM). This defeats all phishing email detection methods that are based on lists of IP and domain reputations, etc.
Is two-factor authentication still reliable?
Reading the above, you may be asking yourself: is two-factor authentication still reliable? Actually, yes; it is infinitely more reliable than a simple password. However, in order to deal with possible circumvention, it is vitally important to strengthen it with additional measures.
Moving towards multi-factor authentication
To strengthen access security, it is possible to implement a series of verification factors by adopting multi-factor authentication (MFA). Multi-factor authentication requires the use of multiple pieces of evidence to grant access to the entity (a person or machine) that is logging in.
These factors are classified into three categories in the official recommendations of the French agency ANSSI, and can be of different kinds, such as:
- Knowledge factors, such as a password or a security question;
- Possession factors, i.e. a physical (smart card, SecurID key) or digital (phone, mobile application) security token that generates a unique one-time code (OTP);
- Inherent factors, such as biometrics, i.e. DNA, fingerprints, retinal prints, facial recognition, voice recognition.
Moving towards stronger communication channels
Several solutions have already emerged to improve security yet further. These include “out-of-band” authentication (OOBA), which requires user verification via two different communication channels. In this case, one factor could be sent via an Ethernet network, for example, while another would be sent via the 4G network. Channel separation for increased security. Another possibility is the use of “deep voice detection” technology, which can detect voices generated by AI. However, the use of such techniques is still limited, due to the cost of implementing them.
It is therefore important to be aware that 2FA – and, to a lesser extent, MFA – can be vulnerable to highly sophisticated cyberattacks. Even so, the addition of a second authentication factor – even a weak one – does not make you more vulnerable than having a single factor does. These authentication methods have therefore not become obsolete, since they can stop the majority of commonly encountered cyberattacks. The correct implementation of two-factor authentication retains a key role in ensuring a certain (high) level of access security in the company. However, the adoption of a third or even fourth authentication factor for specifically targeted groups (system administrators and other corporate VIPs) and the expansion of communication channels can further reduce authentication vulnerabilities. As is often the case, it all boils down to risk management and the level of investment needed to reduce it.