Skip to content

The Trouble With Two-Factor Authentication

Two-factor authentication is increasingly being exploited as hackers use increasingly sophisticated techniques to bypass this cyber security method. Phishing, social engineering, and call forwarding are all techniques being used to exploit 2FA. Businesses must explore alternatives such as adaptive authentication, or risk 2FA leaving their data vulnerable.

What is two-factor authentication?

Known as 2FA or two-step verification, it’s an extra layer of security which is designed to protect information beyond the traditional username and login combination. The second authentication factor can be a variety of options, including: SMS token, hard token, one-time passcode or knowledge-based questions. Upon a user logging into an account supported by 2FA, they are then subsequently prompted to input the second factor in order to gain access.

For years, 2FA has been an integral component of most Enterprise security strategies. However, with 74% of data breaches now starting with the use of valid privileged user credentials, and hackers having no problem bypassing two-factor authentication, both by intercepting codes or exploiting account recovery-systems, it is glaringly obvious that two-factor is no longer enough.



Playing a part in 93% of all data breaches last year, phishing attacks have grown in prevalence over the last few years, with malicious actors exploiting human behaviour and poor security. Phishing attacks typically direct users to a fake login page via a fraudulent SMS or email message.

It begins with the victim entering a login page for Office365, iCloud, PayPal etc. The target, believing the landing page to be authentic, enters their credentials into the fake login form. The fake login form subsequently prompts the user with a two-factor request.

Meanwhile, the hacker, with access to all the credentials entered into this page, takes the target’s username and password and enters them into the legitimate site. This process can be automated to carry out this attack at scale.

After entering these details to try and access the account, the real 2FA protection kicks in and asks the hacker for the 2FA code. By doing this, the target would receive the legitimate 2FA code.

The target enters this code into the phishing page, thus successfully passing the 2FA prompt. Unknown to the target, any code will have worked in the field as the whole login procedure is only used for harvesting credentials and not for testing the authenticity of the target’s account information.

The code that the target enters into this field is immediately visible to the hacker. The attacker’s next step is to use this code to complete the real login process, and thus gain access to the target’s account.


Hard tokens give a very poor user experience, both due to the fact that they are a physical item that you have to keep on you at all times, and you also need to ensure you don’t lose it.

Hard tokens, probably the 2nd most popular method of 2FA, have proven to be vulnerable too, with sophisticated attackers finding methods to get around them.

Due to the end-user’s complicated user experience, they tend to circumvent the control, and willingly share hard tokens. They do this via webcams or filming the hard token. Commonly within some organisations, the high cost of hard tokens leads to a decision to issue one hard token to a pool of users. These users may be contractors or a 3rd party user but these acts defeat the object of using a hard token in the first place.


Bad actors can intercept 2FA codes even when they are transmitted via voice calls, creating a backdoor communication connection with the command and control (C&C) server.

Once installed on a compromised device, the malware opens the backdoor, collects a list of system-specific information, and sends it to the C&C server to register the device and get a unique identifier for it.

Example – Android.Bankosy
Works by using the call forwarding feature to hijack a user’s mobile device and redirect all voice traffic to the hacker’s phone.
A Trojan horse, this malware is installed on Android devices, opening back-door access to the device for the hacker.


Knowledge-based questions and answers, such as birthdate, mother’s maiden name, town of birth, are easily socially engineered, with answers commonly found across social media.


A rising trend, malware on users’ phones that intercepts SMS messages and sends them to an attacker, is also becoming more common.

Example – O2 thefts
O2 is a great example of one-time passcodes being intercepted and exploited. O2 confirmed that some of its customers had their bank accounts drained using a two-stage attack that exploits the signalling system 7 protocol (SS7). In other words, the hackers exploited the SS7 to intercept two-factor authentication codes sent by online banking customers, allowing them to empty bank accounts.


Push-to-accept appeals to end-users because of its simplistic nature, they just have to click yes or no.

The problem with this approach as a tool for 2FA is the human behaviour aspect. Many users tend to accept authentication requests typically without reading them, so often push-to-accept requests are usually accepted without the end-user realising what they’re agreeing to.

Most two-factor authentication technologies don’t securely notify the user what they’re being asked to approve. Therefore, it’s too easy for an inattentive user to approve an attacker’s transaction without knowing it.


The degree of reliance on third-party services (either authentication service providers or telecom companies) is also a factor to consider, since breaches in these services have in the past resulted in authentication failure.


There has been a significant shift towards cloud adoption in the past decade, with 83% of enterprise workloads expected to be in the cloud by 2020. As phishing threats become more prevalent, it’s more important than ever to use additional data points to identify suspicious behavior and patterns, such as a user login time and location, device type, network, geographical zones, impossible situations and more, to create risk-based access decisions.

Adaptive Authentication provides world-class security without impacting usability. That’s because risk checks are done without users even being aware of it — and multi-factor authentication is applied only if risks are detected.

Although multi-factor authentication has been able to minimise the risk of malware or a hack, it seems the way forward for enterprises to protect their large data is adaptive authentication. Enterprises are looking for a long-term solution, and adaptive authentication takes users behaviour, fitting it into the matrix of variables that provide a risk profile of them and based on this, the system generates additional authentication processes before the user is allowed access.

The whole process works in real-time and is much more intuitive, with factors such as geo-location and identity assurance, which combine to make the authentication process robust.


How Can Mobliciti Help You?

Mobile technologies have revolutionised our working practices. Mobliciti’s CTO, Andy Brown has been discussing over the past couple of years how the world of mobile and cloud have collided, with users increasingly using personal cloud services on their mobile devices in preference to traditional work solutions.

Mobliciti wants to help you secure and protect your data, using some of the most secure technologies in the industry. Get in touch today to find out how your business can gain from adaptive authentication, not only securing your data, but also benefitting your business.