Ethical hacking: Top 6 techniques for attacking two-factor authentication
Two-factor authentication (2FA) has been renowned for some time now for the security it can bring to organizations. The combination of something you know, something you have and something you are is the heart and soul of 2FA and helps explain its relative security strength.
Despite this fact, attackers are known to have several ways to successfully attack 2FA, and as an ethical hacker, it is your job to understand these potential attacks. This article will detail the top six techniques for attacking 2FA and present you with an all-around picture for the kind of 2FA attackers you can expect to encounter when working as an ethical hacker.
What is two-factor authentication?
2FA is a method of authentication that brings an extra dish of security with it to the proverbial information security potluck. Instead of relying solely on the traditional combination of a username and password, 2FA schemes require that users authenticate with the following:
- Something you know: Password, PIN, etc.
- Something you have: Smart card, USB token, etc.
- Something you are: Voice, iris, fingerprints, etc.
There are two ways to authenticate:
- One-way: This is the most common type of authentication. This is a server-only/client-only method, with server-only authentication being the most used
- Two-way (mutual authentication): Both client and server must authenticate with this method. It is not as common as one-way authentication but is more secure
Top 6 techniques for attacking two-factor authentication
1. Social engineering
Without a doubt, the top technique to attack 2FA is social engineering. 2FA relies heavily on knowledge that is only known by the user and when a website or service that uses 2FA is seemingly not working, users naturally reach out to tech support. Attackers have been observed social engineering tech support in order to get the user to reset their password or steal sensitive information related to 2FA.
This is a natural point of vulnerability for 2FA, as any tech support interaction will make the odds of sensitive user information disclosure near inevitable, and by asking just a few questions (or none at all, if the user volunteers this information).
2. Cookie session hijacking
Cookie session hijacking has been with us since the dawn of networked computers. It has been said that there are hundreds of ways to perform cookie session hijacking even if 2FA is used for authentication.
A recently publicized method for performing this technique was demonstrated by hacking expert Kevin Mitnick, using a man-in-the-middle attack framework called evilginx. This involved tricking a victim into visiting a typo-squatted domain and presenting the user with a proxy login page; the user interaction allowed evilginx to capture the user’s login credentials and authentication code, which is then passed to the legitimate site. The end result was a captured session cookie which can be used indefinitely.
3. Duplicate code generator
Depending on how your organization has implemented 2FA, code or number generators may be used for generation of “something you know” (see Google Authenticator).
“Random” number generators normally start with a seed value generated at random which is in turn used to generate the first number in the code. This first value is used by the algorithm to generate the subsequent code values. If attackers learn the algorithm and the seed number, they can use this information to create a duplicate code generator that is identical to the compromised user’s code generator.
4. Two-factor authentication “not required”
Some websites and services that allow users to use 2FA may not require it, which means that the user does not have true 2FA. Rather, access to 1FA will still be available to both the user and attackers, meaning that attackers can use 1FA to access the site or service.
The disturbing thing about this is that many widely-used websites, including Facebook, LinkedIn and Twitter, do not require 2FA even though they offer it. In instances like these, attackers can bypass 2FA by providing answers to password reset answers that are much less secure.
5. Brute force
What would authentication attacks be without the quintessential brute-force attacks? Even though 2FA offers better security than 1FA, brute force can help attackers get around it.
Brute-force attacks are possible if the 2FA authentication screen does not enforce account lockouts for a predetermined number of bad attempts. How this works is that the attacker sends a password reset message to the compromised user’s email. The attacker can then navigate to this password reset email and set a new password, and then simply brute-force the user’s 2FA code.
6. Buggy two-factor authentication
Bugs are still a fact of life in today’s world and this extends into the world of 2FA. Within the last year or so, there have been several examples of this affecting widely-used websites and services, including Uber.
The dangerous thing about buggy 2FA is the sheer volume of machines it can impact. For example, in 2017 the Return of Coppersmith’s Attack vulnerability (ROCA) was discovered to impact all 2FA products, including smart cards and TPM chips, that use Infineon Technologies-generated RSA keys of 2048 key lengths or less (which most are). To this day, there are hundreds of millions of impacted devices.
Two-factor authentication was intended to be a major security upgrade for many websites and services, and in fact, it has been. With this said, attackers have been using the innate weaknesses of the technology and its implementation to attack 2FA and ultimately access a website, service and even system.
Ethical hackers need to be aware of these different 2FA attack techniques. This is because chances are at least one of these techniques will be used against their organization at some point.
- 11 Ways to Defeat Two-Factor Authentication, KnowBe4
- Bypass Two-Factor Authentication, HackerOne
- How 2FA can be hacked using social engineering, RCR Wireless News
- Evilginx – Advanced Phishing with Two-Factor Authentication Bypass, BreakDev