How to hack two-factor authentication: Which type is most secure?
Password security is one of the biggest holes in many organizations’ cybersecurity defenses. Traditionally, authentication systems have relied on knowledge of a password to differentiate between legitimate and unauthorized users of a system or service. If you know the password, then you’re supposed to have access.
The problem with this is that many people practice very poor password security. Weak and reused passwords are easy to guess and enable credential stuffing attacks after a data breach. According to Verizon’s 2021 DBIR, 61% of data breaches involved the use of compromised credentials.
Two-factor authentication (2FA) and multi-factor authentication (MFA) are designed to solve this problem. Instead of relying solely on a password for user authentication, they require a combination of two or more factors, such as:
- Something you know: password, passphrase etc.
- Something you have: smartphone, authenticator etc.
- Something you are: biometrics
2FA and MFA differ only in the number of factors that they require. 2FA uses exactly two factors, while MFA can use two or more.
By requiring multiple factors for authentication, 2FA and MFA make it harder to gain unauthorized access to a system because guessing a password is no longer enough. However, depending on the factors used, it still may be possible to bypass MFA security.
Phishing simulations & training
Exploring the security of MFA
MFA comes in various forms, and each has varying levels of security. Some of the main forms of MFA are as follows:
Email/SMS
Single-use codes sent by email or SMS are the most common method for implementing MFA. By requiring the user to enter a code sent to a phone or email account as well as a password, this form of MFA requires a “something you have” factor alongside “something you know.”
However, while email/SMS-based MFA is easy to implement, it also has the most security issues. For email, the biggest problem is that proving access to an email account is not necessarily multi-factor. If a user logs into the email account with a password, the two factors are both “something you know.” Also, the same password may be used for both accounts, further undermining the security of MFA.
SMS-based MFA also has its issues and can be undermined in various ways. Attackers may perform SIM swapping attacks to take over a target’s phone number, which results in MFA codes being sent to them. Alternatively, an attacker can use social engineering to trick users into sending the code to them. These, and the vulnerabilities of the SS7 mobile network, make email/SMS-based MFA vulnerable to exploitation.
Authenticator app
Another common form of MFA is the use of an authenticator app. When a user wants to authenticate, they provide the code currently shown by their app, and the server verifies that it is a valid code at that time. Using the time-based one-time password (TOTP) algorithm (described in RFC 6238) and a shared starting point, a server and authenticator app can generate the same series of time-dependent codes.
Authenticator apps provide reasonably good security because the one-time codes are independently generated and not transmitted between the server and client. However, any MFA algorithm that involves entering a code is potentially vulnerable to social engineering. Also, malware on a smartphone may read authentication codes from within the app.
Hardware authenticator
Like a Yubikey or a smartcard, hardware authentication devices store authentication information on a physical device. When the device is connected to a computer, the user can access protected accounts (potentially after entering a PIN).
A hardware-based authenticator provides better security than an authenticator app. Because authentication information is stored on a dedicated device with built-in protections, it is more difficult for malware to access this information.
Biometrics
Biometric-based authentication uses the “something you are” factor. Examples include facial recognition, iris scanning, fingerprint scanning etc.
While biometric authentication works well in theory, modern biometric-based authentication systems perform poorly in practice. Numerous examples exist of people bypassing smartphone facial or fingerprint recognition systems using various techniques. However, beating a biometric authentication system typically requires access to the real owner, which makes it more secure than email/SMS-based authentication, and it is less vulnerable to social engineering attacks.
Push notification
Push notification MFA uses notifications on a user’s smartphone for MFA. To access an account, the user will have to tap a notification on their phone, which is “something you have.”
Push notification MFA eliminates the need to copy a one-time code from one device to another; however, it can still be vulnerable to social engineering. People may be accustomed to addressing notifications on their phones without thinking about it, making PUSH attacks possible.
Passwordless authentication
As its name suggests, passwordless authentication is designed to do away with the password as one of the two factors used during authentication. Unlike the other MFA options, passwordless authentication uses a combination of “something you have” (typically a digital certificate stored on a device) and “something you are” (biometric authentication).
The security of passwordless authentication relies on its underlying features, and, as mentioned above, biometric authentication occasionally has issues. However, even with these issues, eliminating passwords makes this a better form of authentication in terms of usability and security. Additionally, eliminating a password or one-time code makes passwordless authentication less prone to social engineering attacks.
Phishing simulations & training
The bottom line of 2FA
Different forms of MFA all have their strengths and weaknesses. However, any form of 2FA/MFA provides an additional layer of defense, which makes it more secure than purely password-based authentication.
Sources:
- 2021 Data Breach Investigations Report, Verizon
- RFC 6238, IETF
- What Are PUSH Attacks? Hypr
In this Series
- How to hack two-factor authentication: Which type is most secure?
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Top 5 ways ransomware is delivered and deployed
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness