What is Two-Step Authentication
Two-step authentication is a additional method to password that allows us to protect our accounts. Basically it is a second step, a second code that we have to enter in addition to the normal password.
It is something that is increasingly present in the many social networks, Internet platforms, registrations, when logging in to devices … The way in which we can put that second code or validate our account may differ. It is very common (although the truth is that it is not the safest thing to do) to receive a code by SMS and enter it when logging in. We can also use applications or even physical keys.
The goal of multi-factor authentication, as it is also known, is to prevent an intruder from accessing our account even if they have the password. Let’s say someone has found out our Facebook password or we have been the victim of a Phishing attack. If we have 2FA activated, that intruder would need a second code to enter.
Therefore, as we see, it is an extra security barrier that comes in handy to be adequately protected. Now even this method could be exploited by cybercriminals. There are certain options that you could use to break two-step authentication.
How they could break two-step authentication
We are going to see what are the main methods that a hypothetical intruder could use to break two-step authentication and gain access to our accounts. There are different options that you could use and it is good to know about them.
One of the most important methods for hackers when it comes to steal two-step authentication codes it is social engineering. It basically consists of scamming the victim into thinking that they are dealing with something legitimate, something safe.
Can use different strategies for it. An example would be to make a call posing as a bank and request a code that they will receive by SMS in order to verify that it is really the legitimate user. Logically what they will receive is a 2FA code to be able to make a payment or any action.
But they could also use malicious links, send an email or through social networks. In this way, they could also fool that user and get to obtain the code to verify the account and log in.
Theft of cookies
They could also use the cookie theft. To do this, they can carry out attacks such as cross-site scripting, sending malware or hijacking the browser. Thus they manage to collect all the keys and even the 2FA code that the user can send.
Thus, thanks to the cookie theft method, the attacker could access a platform by skipping the two-step authentication code. It is, therefore, one more possibility that cybercriminals may have.
A classic in password theft, it can also be applied in 2FA codes. Of course, it must be borne in mind that it does not work the same on all platforms. That is, sometimes we can find a two-step authentication code that is simply four numbers. They could perform a brute force attack and it would be easier to exploit than if it were eight digits, where it also combined uppercase and lowercase letters.
Therefore, although the success of stealing multi-factor authentication codes will be less with brute force, the truth is that it is one more option that they can have.
Use of third party programs to log in
There are pages that allow us to log in through social networks or use a program to receive a code and later enter. If an attacker has managed to steal access to one of these platforms or programs, they could also have control of our account and bypass the 2FA code. It is yet another alternative that they can use.
How to prevent the theft of 2FA codes
We have found that two-step authentication is very useful to protect our accounts. However, hackers could also bypass this security. It is essential that we take action and that is why we are going to give some important advice.
Create strong passwords
Two-step authentication is a very important complement to the passwordsBut don’t forget that using a strong clef is going to be very important. We must create passwords that meet the appropriate requirements, such as having upper and lower case letters, having numbers and other special symbols.
A strong password is also one that is unique, that we are not using anywhere else, and that is also totally random. We must avoid putting words that relate us, dates or any similar data.
Use safe 2FA programs
Are we going to use programs to generate 2FA codes? It is a very interesting option, but we must use services that are reliable. We must avoid those that do not give us guarantees and can be a problem for our security, rather than really protecting us.
Do not store codes insecurely
Of course we must also avoid store codes two-step authentication insecurely. This could be, for example, having them in a plain text file on our computer. In case a possible intruder accessed the system, they could have control in a simple way.
Another very important issue is the common sense. Here we can mention, for example, avoiding opening insecure links, logging in through third-party sites, giving our code in case of receiving a call or through social networks.
Ultimately most attacks will require user interaction. The attacker is going to need the victim to take some kind of action. Hence, common sense, not making mistakes, is one of the main security barriers that we can have in order not to suffer problems.
In short, these are some tips to keep in mind to protect two-step authentication and, in this way, avoid intruders on our accounts or devices. A series of very interesting recommendations that we can put into practice.