6 ways cyberattackers defeat 2FA and what you can do about it

2FA Artboard
Damon Tepe
February 25, 2019

Get the latest from the SecureAuth Blog

In a webinar last week, I discussed some of the most common ways attackers bypass 2FA, and discussed ways to stop these from happening. Those who rely on 2FA are not as protected as they think, as 2FA provides a false sense of security.

As an industry it is crucial that we implement more security controls around access points than just 2FA. Using behind-the-scenes risk checks – including device, location, IP address, account type, and behavior – you can elevate identity trust and stop attackers from bypassing 2FA, even if they have stolen credentials.

6 most common ways attackers bypass 2FA


1. Real-time phishing

Humans will always be a security weak point. A tried and tested approach, it’s not difficult for an experienced cyber attacker to send emails, make calls, and develop replica websites to coerce authentication details away from users.



2. Text & call interception

A technology loophole exposes 2FA vulnerability. A weakness in the Signal System 7 (SS7) protocol used by phone carrier networks to communicate, means attackers can intercept codes and secrets sent to mobile phones.



3. Malware

Humans unknowingly create security gaps. Unintentionally installing malicious code on PCs, tablets, and smartphones, users open door for attackers to copy and forward 2FA one-time passcodes.



4. Phone porting fraud (aka SIM-Swap)

Attackers once again target humans, this time at network carriers. This technique involves personal details and social engineering to convince a mobile phone carrier representative to move a victim’s SIM card under their control. All phone-based authentication is compromised from that point forward.



5. Notification fatigue

Attackers overwhelm users with multiple authentication requests. This is particularly effective when using ‘push-to-accept’ or other 2FA methods that simple require a user to click “yes” or “accept” when authenticating. Annoyed users will click “accept”, even when not authenticating, just to remove the notification from their screen.



6. Knowledge-based authentication

People share too much personal information on social media and the internet. A simple “Google” search can find answers to first grade teacher’s name, street you grew up on, and favorite pet’s name. Using this information as a secret only a user knows, exposes organizations to attacker exploitation.



Humans – the weakest link in cyber security

Humans are always going to be a weak spot in any identity security program. The goal then is to protect users from themselves as much as from attackers looking to take advantage of them. Watch this quick video on how adaptive authentication protects you against attackers with ways around 2FA.


Next steps

For more information about how you can achieve identity security by implementing adaptive authentication or watch one of the SecureAuth adaptive authentication webinars.

Related Stories

Pin It on Pinterest

Share This