Two Factor Authentication (2FA) is a security protocol where a user provides two authentication ways to verify themselves on a given web system. In this Information age, this is done to protect user data from eavesdroppers and malicious users.
2FA provides another layer of security on top of the commonly used password or pin. In case a user’s password is stolen from an eavesdropper or a malicious user runs an injection into a system database, they cannot get past the second layer of security where in most cases they have to enter a temporary verification code sent to the mobile number attached to the account.
However, this does not guarantee hundred per cent security as 2FA also has its flaws and vulnerabilities which can be exploited if the attackers are well versed the system’s loopholes.
So, what are those two-factor authentication vulnerabilities that would make it possible for an attacker to gain access to your personal data? Well, we get to dissect some of them below;
Two Factor Authentication (2FA) may be a good way to protect your data but it does have its vulnerabilities
1. Bypassing 2FA entirely
The first exploitation can be bypassing 2FA entirely. This is achieved if during the process of 2FA, a user is a prompted a password and on providing it, the system navigates to a new page to ask for a verification code.
On navigation to a new page, the system has already logged in and therefore, one can find a way of accessing whatever he or she wants. On another note, some systems might not check whether or not the second step is passed.
A hacker can also take advantage of the fact that the system does not verify if it’s the same user completing both steps of logging in. When a user logs in during the first step, a system is supposed to assign him a cookie (file with user information like username and password) before navigating them to the next step.
As the user completes the second step, the system is supposed to look at the cookie and find out which account is the user trying to access. The flaw comes when the system does not verify the cookie. At this point, a malicious user can edit the values of the cookie and use it to access several accounts.
Apart from that, there is the issue of phishing, whereby the hacker can direct users to malicious sites where single-use passwords are captured. The hacker watching the site in real-time can use the token to access the targeted site before the token expires.
2. Brute force attack
A malicious user can also brute-force verification codes. Brute-forcing passwords and codes is a scenario where the attacker enters numerous values for each time each gets rejected.
Systems have been able to overcome this vulnerability by having a maximum number of times one is supposed to submit a password or else gets locked out.
The most ambitious way is hijacking the verification code before it reaches the intended target. This is very rare and is usually done by different government-backed hackers to monitor their targets without them knowing.
3. SIM Hacking
In case you use your mobile device number as a means of receiving verification codes, the bad actor can actually gain access to them if they manage to hack your SIM. There have been cases where people’s SIM cards are mirrored by attackers giving them access to all your information.
It may not be a common practice, but it’s definitely possible. The bad actor can effectively take over the phone number of the mobile device used as part of the Two Factor Authentication enabling them to receive the single-use tokens and log in.
There’s also the possibility of the code being intercepted during transfer since the code is being transmitted via SMS rather than being generated by the device itself. There is also a risk of SIM swapping, whereby an attacker fraudulently obtains a SIM card with the victim’s phone number.
In cases where a user is provided with a dedicated device for this purpose, such as the RSA token or keypad device that you might use to access your online banking or work laptop. If it ends up stolen or missing, the bad actor could take advantage of the situation.
Even though Two Factor Authentication may have its vulnerabilities, it is still considered as one of the best ways to protect your data and accounts online compared to the single knowledge-based factor, such as a password. For this reason, two-factor authentication is demonstrably more secure than single-factor authentication.
Author: Katende Basajjabaka
Katende writes about sports and occasionally technology.