Skip to content

How Attackers Bypass Modern Two-factor Authentication and How to Protect Users

How Attackers Bypass Modern Two-factor Authentication and How to Protect Users

It is unfortunate, but there is no way to create “ironclad” network security. Any technology that one person creates can potentially be outwitted by another person…it’s just a question of how much skill and effort will be required. Does this mean that good online security is impossible to achieve? No, but it does mean that you won’t find an easy one-stop solution. Let’s get a little more specific and talk about two-factor authentication, which is one of the more common methods of online identity verification. We will discuss the ways in which hackers can bypass these measures and how you can prevent them from accessing sensitive data.

1. Reverse Proxy Methods

A proxy, in computing terms, is basically a middle-man server. It sits between you and the internet at large, acting as a privacy filter. However, it can be used in the opposite way. A reverse proxy can also be used to hide the identity of the destination website. Thus, it can be used to deliver content to a user while also masking the source of that content. Thus, the hacker can serve you a perfect copy of a legitimate page. Once you enter your login information on that fake page, a keylogger will give that info to the attacker. This is basically a more sophisticated form of the classic “phishing” attack model.

2. Session Hijacking

There are numerous hacking tools that can hijack a particular browser session, giving someone else complete control. Necrobrowser is one of the most common tools used for this purpose, as it automates many actions and is easy to use. It can also capture any data that you input during that browser session, making it easy for your credentials to be stolen and used to circumvent 2-factor authentication.

3. SMS Hijacking

The use of automated text messages containing one-time passwords can also be a security hole. In fact, the National Institute of Standards and Technology has even issued warnings about the excessive use of SMS verification for the 2-factor authentication process. When it comes down to it, there are just too many ways for an attacker to potentially hijack the average mobile device. All they really have to do is gather enough personal information to impersonate you over the phone.

Once the attacker has gathered a little bit of information, they will then call your mobile phone provider, claiming to be you. They will claim that they lost their phone and that they want their number ported to a new one. Once your number has been ported to a malicious device, the hacker can intercept those authentication texts and enter the codes before you do. Using this method, most online accounts can be compromised.

4. The Golden SAML Method

For those who don’t know, SAML is a protocol by which identifying information is exchanged between legitimate sites and legitimate users. Unfortunately, it can also be hijacked by not-so-legitimate users. It will usually begin with an attacker gaining covert access to the identity-providing server.

This server will be using a private encryption key to access multiple accounts without a need to reauthorize. If the attacker gets that key, they can hijack the authentication process right at the source. This vulnerability has been dubbed the “golden SAML method” because no one has yet figured out an effective way to remove this threat.

5. Exploitation of Password Recovery Options

People forget passwords and usernames from time to time, so most sites will have a way to recover that information. Unfortunately, this also gives non-legit users a way to steal that information easily. They simply have to steal key pieces of your personal information or use phishing pages to trick you into giving that information away.

How To Protect Yourself And Your Users

The first thing to consider is switching away from two-factor authentication. Multi-factor authentication (meaning more than two methods), is a much surer way to go. Yes, it is still possible for someone to circumvent MFA, but it will be much more difficult. 2-factor authentication usually tends to use low-security verification methods like SMS or an email link. MFA, on the other hand, will require the attacker to steal a lot more information.

It’s also a good idea to set those authorization tokens to have a short lifespan. These tokens are created whenever a user successfully proves their identity at login. If you should lose the connection for whatever reason, you can re-access the page without having to enter those credentials again. Unfortunately, if these tokens do not expire quickly enough, it can create a big nasty vulnerability.

It’s also a good idea to steer clear of useless authentication methods. For instance, text messages are never going to be the best method. A simple CAPTCHA is also not good enough, as that will only prevent botnet attacks and other automated attacks. Biometric identification is the surest, but it isn’t practical for many instances. The use of a USB token is probably the best path here.

Finally, we have the human factor. As you might have noticed, all these methods require the hacker to trick the victim. Here’s a quick rule for you: If you click a link and are then directed to enter sensitive login credentials, check the URL at the top of the page to make sure you are communicating with the right website. If you must enter such information, don’t use the link you have been sent! Go to the website through direct means and do things there.


As you might have guessed, hackers have come up with all sorts of ways to circumvent the authentication process. When only two factors of ID are used, their job becomes a lot easier. That is why we recommend multi-factor authentication for any organization that has sensitive info to protect. If you would like to know more about how this technology can be deployed, feel free to call PCH Technologies at (856) 754-7500.