Hackers circumventing two-factor authentication – Here’s how

Two-factor authentication (2FA) has strengthened network security significantly and is now used by company networks and many leading platforms.

2FA is seen as an extra layer of security to help boost that of usernames and passwords.

It is used across enterprise to help protect platforms from Office 365 to online HR systems or data storage.

But it isn’t quite as infallible as we think.

If you run or manage a network that uses two-factor authentication, you need to be extra vigilant.

Two-factor authentication

Two-factor authentication and its more complex cousin, multi-factor authentication (MFA), are used extensively as an extra layer of protection for online accounts and network access.

It is very effective at protecting logins and adds a significant layer of complexity to hackers. But isn’t the perfect panacea some think.

Man-in-the middle attacks

There has been a rise in man-in-the-middle attacks where a hacker has been able to steal the session cookie of a logged in user.

They can then use the cookie to take over the session as if they had logged in.

This does take a lot of setting up and won’t be for the mainstream hacker, but there have been observed instance of it being used in the wild.

“From our observation, after a compromised account signed into the phishing site for the first time, the attacker used the stolen session cookie to authenticate to Outlook online (outlook.office.com),” members of the Microsoft 365 Defender Research Team and the Microsoft Threat Intelligence Center wrote in a blog post.

“In multiple cases, the cookies had an MFA claim, which means that even if the organization had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account.”

2FA enrolment

There is also a situation where users have yet to enrol in the 2FA system or old accounts where the user hasn’t enrolled.

Hackers have been seen compromising those email addresses and enrolling their own devices so they can access systems.

Once in, the hacker has overcome the main barrier defence and can being attacking other systems.

This attack depends on hackers having access to email addresses, but given how many millions of those are leaked on the dark web each month, that’s not so difficult.

It’s then just a case of trial and error before they find an email that has yet to set up 2FA. Unless there are protocols in place to verify the device, it’s easy to register a fake device as the second factor.

What can be done to further protect two-factor authentication?

There is one thing you can do as a network administrator or manager to prevent the majority of 2FA attacks.

Use network limitations.

Restrict registrations to local network IP addresses or use location identification for company mobiles.

Any authentication attempt that doesn’t come from within the company network or from a company device in a recognised location can be refused.

It’s not the perfect solution, but like 2FA itself, it’s an extra barrier hackers have to overcome in order to access your networks.

That, along with staff training on how to deal with phishing attacks can go a long way to securing what’s yours!

making better connections

Request a Callback