Two factor authentication is a method of utilizing a handheld device as an authenticator for online portals. While most organizations consider it a secure means of authenticating their users into their portals, there are methods using which two factor authentication can be bypassed. The techniques for bypassing 2fa are based on abusing the design and implementation which are often not looked at by web application administrators providing a leverage for attackers to compromise user data.
Two-factor authentication (2FA) adds an extra layer of security to your online accounts by asking for a verification code after you sign in with your email address and password.
The verification code is generated by an application on your smartphone. To gain access to your account a potential attacker would need your email address, your password, as well as your phone. Two factor authentication works on the principle of “Something you have” which in most cases is your handheld phone.
2FA is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and password. Then, instead of immediately gaining access, they will be required to provide another piece of information. This second factor could come from one of the following categories:
- Something you know: This could be a personal identification number (PIN), a password, answers to “secret questions” or a specific keystroke pattern
- Something you have: Typically, a user would have something in their possession, like a credit card, a smartphone, or a small hardware token
- Something you are: This category is a little more advanced, and might include biometric pattern of a fingerprint, an iris scan, or a voice print.
There are many types of 2FA so depending upon the specific type there are different weaknesses besides implementation bugs.
Often passwords tend to be one of the 2 Factors in most implementations. As it is well documented; Passwords are vulnerable to regular phishing attacks, key loggers, brute force attacks, guessing the password etc.
2FA can be card and pin (like used in debit / ATM). Skimming is a proven technique to capture both the magnetic strip and the pin.
If this is a chip card (like smartcard, EMV) then it is hard to extract the crypto key secrets from the smartcard / chip. There are many demos by security researchers (like a sim card cracking demo shown in July 2016 in Las Vegas) but they are not easy to do. Social engineering maybe easier to get hold of the chip card.
2FA can be OTP + Password. Often it is used by applications, user accounts or websites. The OTP algorithms can come in various flavors like time based, event based etc. Each of them are vulnerable to different attacks. Plenty of materials found on the internet on those weaknesses including time synchronisation issues, protecting the OTP secret in software is not as easy as it seems. For example; because of time synchronisation issues in TOTP (Time Based One Time Passwords) most implementations accept a few old TOTPs too so attacker can steal (using social engineering attacks or even malware) a sequence of OTPs.
Even the popular RSA SecurID hardware token was compromised by attackers in 2014 by stealing the master crypto keys in order to use it against a defense contractor, who was a customer of RSA.
Sometime sites or applications give 2 secrets and incorrectly call it 2FA (example Password + Zip code or DOB or CVV). These are vulnerable to social engineering attacks amongst other attacks.
Often OTPs are deliverd via phone or to an email account. There have been lots of attacks on the delivery system like on sms, email account etc. For example: call forwarding, sim cloning, sim porting etc.
Sometimes biometric authentication like fingerprint / facial recognition / voice is combined with a password. There are lots of security issues in biometric authentication too besides the known attacks against passwords. For example: replaying a video or using a scotch type to replay a biometric.
However number 1 weakness in 2FA is enrollment irrespective of the type of 2FA. In order to give someone 2FA the system or process needs to authenticate the user before giving 2FA. Always this translates to checking a 1FA or two 1FAs. Given the well known weaknesses of 1FA like passwords / pins, the attacker can enrol before the intended user. So this is the easiest way to beat any 2FA even it is based on a biometric factor.
Another generic attack against 2FA is attacks against Forget Your Password / Reset Credentials Process. Just like enrollment these reset processes tend to be 1FA again. So these lifecycle processes make the 2FA less secure.
Then there are always implementation bugs or vulnerabilities in any implementation.
Lastly Humans are gullible so Social Engineering is always a good option against any form of authentication system.
Security of a system is determined by the security of the weakest link in the process. So there is always a way. This is a problem with 2FA.
Even multi-factor authentication can be bypassed or defeated.
Many people incorrectly believe biometric authentication like finger-printing, facial recognition is the ultimate authentication method. That is just vendors storyline. Not really true though.
Bypassing 2fa Using Brute Force
Web developers leave a very disdinctive flaw when they forget to put rate limitation on the input fields, in case of 2fa if the field is not rate limited there is a possibility of brute force attacks using which the attacker can brute force the 2fa code sent to the device. Usually the length of the 2fa code is 4 to 6 characters which often is numbers, and that makes to a possibility 151,800 which in real world scenario is easily brute forceable using a normal computer
Bypassing 2fa Using Race Conditions
A race condition is termed as utilization of a previously known value recurrsively. It is an attack that takes advantage of application’s ability to utilize previously used or un used tokens at a later point in time. Considering that from 2fa prespective, An attacker can utilize previously used or unused values of tokens to verify the device. However this technique requires the attacker to have access to the previous generated values, which can be done via reversing the algorithm of the code generation app or intercepting a previously known code.
If you ever need help to bypass any type of 2 Factor Authentication System; Contact