Maintaining the security of our accounts is essential to avoid problems that could compromise our privacy. Today we have a large number of records, we use many devices and, ultimately, we have to manage many keys. Passwords are the main security barrier that we can have to avoid intruders in our accounts. Now, if we want to improve reliability even more and not have problems, it is very important to use two-step authentication . In this article we are going to talk about how they could break 2FA and what we can do to avoid it.
What is Two-Step Authentication
Two-step authentication is an additional method to the password that allows us to protect our accounts. Basically it is a second step, a second code that we have to enter in addition to the normal password.
It is something that is increasingly present in the many social networks, Internet platforms, registrations, when logging in to devices … The way in which we can put that second code or validate our account may differ. It is very common (although the truth is that it is not the safest thing) to receive a code by SMS and enter it when logging in. We can also use applications or even physical keys.
The goal of multi-factor authentication, as it is also known, is to prevent an intruder from accessing our account even if they have the password. Let’s say that someone has found out our Facebook password or we have been the victim of a Phishing attack . If we have 2FA activated, that intruder would need a second code to enter.
Therefore, as we see, it is an extra security barrier that comes in handy to be adequately protected. Now even this method could be exploited by cybercriminals. There are certain options that you could use to break two-step authentication.
How they could break two-step authentication
Let’s see what are the main methods that a hypothetical intruder could use to break two-step authentication and gain access to our accounts. There are different options that you could use and it is worth knowing about them.
Social engineering
One of the most important methods for hackers to steal two-step authentication codes is social engineering. It basically consists of scamming the victim into thinking that they are dealing with something legitimate, something safe.
They can use different strategies for this. An example would be to make a call posing as a bank and request a code that they are going to receive by SMS to be able to verify that it is really the legitimate user. Logically what they will receive is a 2FA code to be able to make a payment or any action.
But they could also use malicious links, send an email or through social networks. In this way, they could also fool that user and get the code to verify the account and log in.
Theft of cookies
They could also use cookie theft . To do this, they can carry out attacks such as cross-site scripting, sending malware or hijacking the browser. This way they manage to collect all the keys and even the 2FA code that the user can send.
Thus, thanks to the cookie theft method, the attacker could access a platform by skipping the two-step authentication code. It is, therefore, one more possibility that cybercriminals may have.
Brute force
A classic in password theft, it can also be applied in 2FA codes. Of course, it must be borne in mind that it does not work the same on all platforms. That is, sometimes we can find a two-step authentication code that is simply four numbers. They could carry out a brute force attack and it would be easier to exploit than if it were eight digits, where it also combined uppercase and lowercase letters.
Therefore, although the success of stealing multi-factor authentication codes will be less with brute force, the truth is that it is one more option that they can have.
Use of third party programs to log in
There are pages that allow us to log in through social networks or use a program to receive a code and then enter. If an attacker has managed to steal access to one of these platforms or programs, they could also have control of our account and bypass the 2FA code. It is yet another alternative that they can use.
How to prevent the theft of 2FA codes
We have found that two-step authentication is very useful to protect our accounts. However, hackers could also bypass this security. It is essential that we take action and therefore we are going to give some important advice.
Create strong passwords
Two-step authentication is a very important complement to passwords , but don’t forget that using a strong password is going to be very important. We must create passwords that meet the appropriate requirements, such as having upper and lower case letters, having numbers and other special symbols.
A strong password is also one that is unique, that we are not using anywhere else, and that is also totally random. We must avoid putting words that relate us, dates or any similar data.
Use safe 2FA programs
Are we going to use programs to generate 2FA codes ? It is a very interesting option, but we must use services that are reliable. We must avoid those that do not give us guarantees and can be a problem for our security, rather than really protecting us.
Do not store codes insecurely
Of course we must also avoid storing two-step authentication codes insecurely. This could be, for example, having them in a plain text file on our computer. In case a possible intruder accessed the system, they could have control in a simple way.
Common sense
Another very important issue is common sense . Here we can mention, for example, avoiding opening insecure links, logging in through third-party sites, giving our code in case of receiving a call or through social networks.
Ultimately most attacks will require user interaction. The attacker is going to need the victim to take some kind of action. Hence, common sense, not making mistakes, is one of the main security barriers that we can have in order not to suffer problems.
In short, these are some tips to keep in mind to protect two-step authentication and, in this way, avoid intruders on our accounts or devices. A series of very interesting recommendations that we can put into practice.