Two-Factor Authentication: Rumors of its End are Hasty

Sebastien Viou

Countering 2FA circumvention attempts requires strengthening it with additional measures, says guest author Sébastien Viou of Stormshield.

According to Verizon’s Data Breach Report 2022, 82 percent of breaches are based on social engineering techniques or exploitation of human weaknesses. To counter this scourge, it is critical today to strengthen the authentication phase. Although enterprises often use two-factor authentication as a security best practice, this method has several weaknesses.

The Limitations of Two-Factor Authentication

In recent years, cybercriminals have developed sophisticated techniques to circumvent two-factor authentication. One of the most common methods involves creating replica websites with pre-made phishing kits. These websites contain fake login pages to collect user credentials such as codes or session cookies. This is a highly effective method as the victim is transparently redirected to the legitimate website without noticing the scam.

Other more complex techniques such as sophisticated social engineering are also used to trick a victim into revealing their one-time passcode through deep fake voice techniques or by redirecting phone calls to fraudulent numbers.

Bypassing 2FA with brute-force attacks

Cybercriminals can also bypass two-factor authentication using a brute-force attack, which automatically tries all possible variants of the security codes. However, in practice, these attacks are rare because they take time and are rendered ineffective by firewall rules that block repeated connection attempts.

Even rarer, but just as dangerous, are so-called man-in-the-middle attacks, which use sophisticated techniques to intercept the 2FA code by infiltrating the communication between the user and the application. For example, attacks such as “SIM swapping” illegally exploit the smartphone’s phone number portability option with a mobile carrier to obtain the confirmation SMS containing the victim’s 2FA parameters. These methods are alternatives to physically stealing a computer or a cell phone.

Full access to victims’ email account

As early as 2018, Amnesty International warned about the vulnerabilities of two-factor authentication. At the time, Amnesty Tech was investigating an extensive and sophisticated phishing campaign against journalists and human rights defenders in the Middle East and North Africa. In the process, cybercriminals had created fake Google and Yahoo authentication pages. Once users entered their email address, the malicious interface prompted users to enter the six-digit authentication code they had just been sent via SMS. By knowing both the credentials and the second authentication factor, the cybercriminals had full access to their victims’ email accounts.

Is two-factor authentication still reliable?

Two-factor authentication is indeed much more reliable than a simple password. However, to counter potential circumvention attempts, it is urgent to strengthen it with additional measures.

One way to make access more secure is to increase the number of verification factors by using multi-factor authentication (MFA). Multi-factor authentication requires the use of multiple verification elements to grant access to a person or machine.

According to ANSSI’s official recommendations, these factors fall into four categories, including:

  • Known factors such as a password or security question;
  • Such as a physical security token (a smart card, SecurID key) or a digital token (a phone, mobile application) that generates a unique and temporary code (OTP);
    Innate factors such as biometrics, DNS, fingerprints, retinal patterns, facial recognition, and speech recognition;
  • or manufactured factors such as location, actions, and behavioral analysis.

Out-of-band authentication or deep voice detection technology.

Several solutions already exist to provide even more security. These include out-of-band authentication (OOBA), which verifies users over two different communication channels. In this case, one factor could be communicated over a LAN network, while another is transmitted over the 4G/5G network – ergo, channel separation for enhanced security. Another approach is deep voice detection technology, which detects voices generated by an AI. However, these techniques are still of marginal importance due to high implementation costs.

Thus, it is important to recognize that 2FA, and to a lesser extent MFA, can be vulnerable to sophisticated cyberattacks. However, adding a second authentication factor, even a weak one, does not make the user more vulnerable compared to using a single factor. On the contrary. Therefore, these authentication methods are not yet obsolete: They can defend against most common cyberattacks.

Proper implementation of two-factor authentication remains a key factor in ensuring sufficient protection for access to corporate resources. Introducing a third or even fourth authentication factor for certain users (system administrator and other corporate VIPs), as well as using multiple communication channels, can further reduce the vulnerabilities of the authentication process. As is often the case, it’s a matter of proper risk assessment and the investment required to mitigate risk.


Sebastian Viou

Sébastien Viou

is director of cybersecurity and product management at Stormshield.