Skip to content

How Attackers Bypass Modern Two-factor Authentication and How to Protect Users

How Attackers Bypass Modern Two-factor Authentication and How to Protect Users

Even with the ever changing landscape of technology and cybersecurity, there is no way to create “ironclad” network security. Any technology that one person creates can potentially be outwitted by another person. It’s just a question of how much skill and effort will be required. Does this mean that good online security is impossible to achieve? No, but it does mean that you won’t find an easy one-stop solution. One way to derail hackers, however, is to use two-factor authentication, which is one of the more common methods of online identity verification. Let’s discuss what two-factor authentication is, how attackers bypass modern two-factor authentication, and how to protect yourself and others.

Key Takeaways

  1. Two-Factor Authentication (2FA) is a security method that requires users to provide two different authentication factors to verify their identity, enhancing security compared to traditional passwords.
  2. Authentication factors include “Something You Know” (e.g., passwords), “Something You Have” (e.g., a smartphone or security token), and “Something You Are” (e.g., biometrics like fingerprints or facial recognition).
  3. Modern 2FA methods face challenges from attackers who use methods like Reverse Proxy, Session Hijacking, SMS Hijacking, Golden SAML, and exploiting password recovery options to gain unauthorized access.
  4. To protect yourself and your users, consider switching to Multi-Factor Authentication (MFA) for enhanced security, setting short lifespans for authorization tokens, and avoiding weak authentication methods like text messages. Ensure users are cautious about clicking links in suspicious messages and verify website URLs.
  5. Hackers are continually finding new ways to bypass authentication, emphasizing the need for robust security measures and user awareness to protect sensitive information effectively.

What is Two-Factor Authentication?

Two-factor authentication (2FA) is a security process in which a user provides two different authentication factors to verify their identity. These factors typically fall into three categories:

  1. Something You Know: This includes traditional passwords, PINs, or security questions. Users are required to enter a piece of knowledge that only they should know.
  2. Something You Have: This factor involves possessing a physical device or object, such as a smartphone, a security token, a smart card, or a one-time code generator. Users must have the physical item to authenticate.
  3. Something You Are: This is related to biometrics, where physical or behavioral characteristics like fingerprints, retinal scans, facial recognition, or voice recognition are used for authentication.

To complete the two-factor authentication process, a user typically combines items from at least two of these categories. For instance, after entering a password (something they know), they might receive a temporary code on their smartphone (something they have) that they also need to enter.

Two-factor authentication provides an extra layer of security compared to using only passwords. Even if a malicious actor obtains your password, they would still need the second factor to gain access to your account, making it more challenging for unauthorized access.

How Attackers Bypass Modern Two-Factor Authentication

Now that you know what modern 2FA is all about, let’s look at the ways hackers and other cybersecurity threats try to work around it:

1. Reverse Proxy Methods

A proxy, in computing terms, is basically a middle-man server. It sits between you and the internet at large, acting as a privacy filter. However, it can be used in the opposite way. A reverse proxy can also be used to hide the identity of the destination website. Thus, it can be used to deliver content to a user while also masking the source of that content. Thus, the hacker can serve you a perfect copy of a legitimate page. Once you enter your login information on that fake page, a keylogger will give that info to the attacker. This is basically a more sophisticated form of the classic “phishing” attack model.

2. Session Hijacking

There are numerous hacking tools that can hijack a particular browser session, giving someone else complete control. Necrobrowser is one of the most common tools used for this purpose, as it automates many actions and is easy to use. It can also capture any data that you input during that browser session, making it easy for your credentials to be stolen and used to circumvent 2-factor authentication.

3. SMS Hijacking

The use of automated text messages containing one-time passwords can also be a security hole. In fact, the National Institute of Standards and Technology has even issued warnings about the excessive use of SMS verification for the 2-factor authentication process. When it comes down to it, there are just too many ways for an attacker to potentially hijack the average mobile device. All they really have to do is gather enough personal information to impersonate you over the phone.

Once the attacker has gathered a little bit of information, they will then call your mobile phone provider, claiming to be you. They will claim that they lost their phone and that they want their number ported to a new one. Once your number has been ported to a malicious device, the hacker can intercept those authentication texts and enter the codes before you do. Using this method, most online accounts can be compromised.

4. The Golden SAML Method

For those who don’t know, SAML is a protocol by which identifying information is exchanged between legitimate sites and legitimate users. Unfortunately, it can also be hijacked by not-so-legitimate users. It will usually begin with an attacker gaining covert access to the identity-providing server.

This server will be using a private encryption key to access multiple accounts without a need to reauthorize. If the attacker gets that key, they can hijack the authentication process right at the source. This vulnerability has been dubbed the “golden SAML method” because no one has yet figured out an effective way to remove this threat.

5. Exploitation of Password Recovery Options

People forget passwords and usernames from time to time, so most sites will have a way to recover that information. Unfortunately, this also gives non-legit users a way to steal that information easily. They simply have to steal key pieces of your personal information or use phishing pages to trick you into giving that information away.

How To Protect Yourself And Your Users

The first thing to consider is switching away from two-factor authentication. Multi-factor authentication (meaning more than two methods), is a much surer way to go. Yes, it is still possible for someone to circumvent MFA, but it will be much more difficult. 2-factor authentication usually tends to use low-security verification methods like SMS or an email link. MFA, on the other hand, will require the attacker to steal a lot more information.

It’s also a good idea to set those authorization tokens to have a short lifespan. These tokens are created whenever a user successfully proves their identity at login. If you should lose the connection for whatever reason, you can re-access the page without having to enter those credentials again. Unfortunately, if these tokens do not expire quickly enough, it can create a big nasty vulnerability.

It’s also a good idea to steer clear of useless authentication methods. For instance, text messages are never going to be the best method. A simple CAPTCHA is also not good enough, as that will only prevent botnet attacks and other automated attacks. Biometric identification is the surest, but it isn’t practical for many instances. The use of a USB token is probably the best path here.

Finally, we have the human factor. As you might have noticed, all these methods require the hacker to trick the victim. Here’s a quick rule for you: If you click a link and are then directed to enter sensitive login credentials, check the URL at the top of the page. Also, make sure you are communicating with the right website. If you must enter such information, don’t use the link you have been sent! Go to the website through direct means and do things there.


Now you know how attackers bypass modern two-factor authentication. As you might have guessed, they come up with all sorts of ways to circumvent the authentication process! When only two factors of ID are used, their job becomes a lot easier. That is why we recommend multi-factor authentication for any organization that has sensitive info to protect. If you would like to know more about how this technology can be deployed, feel free to call PCH Technologies at (856) 754-7500.