Often referred to as ‘2FA’, ‘Two-factor authentication’ is seen as one of the best ways to protect yours from improper use by anyone that does not belong to you. Security professionals suggest using 2FA for anything from your email account, bank application, enterprise cloud platforms, and social media accounts. In the last few years, malicious actors have continued to develop tactics to bypass even the most robust of authentication methods by performing what is referred to as a Zero-Day 2FA Bypass Attack.
A zero-day 2FA Bypass Attack is particularly deadly because it leverages an unpatched, unknown flaw in an authentication system that is unknown to the software vendor or security teams and the attackers can launch their attack before a fix is developed/issued. Zero-day attacks differ from traditional phishing and password theft attacks because zero-day attacks target the technologies and protocols that supplement passwords by providing additional identity verification.
As organisations are transitioning to a business model that is more reliant on cloud infrastructure, remote work, and identity-based security, understanding how zero-day 2FA Bypass Attacks function has become imperative for organisations, cybersecurity employees, and end-users.
What Is a Zero-Day 2FA Bypass Attack?
A zero-day vulnerability refers to a flaw in the software of an application that an attacker is exploiting prior to the vendor or developer knowing the flaw exists. At the time of the attack there is no patch or mitigation available to prevent the attack, which provides the attacker a considerable advantage.
A flaw in authentication systems that allows attackers to bypass multi-factor authentication entirely is called a zero-day 2FA bypass. Typically, 2FA requires two different methods of verifying someone’s identity, including:
- Something you know i.e., A Password
- Something you Have i.e., Your Mobile or Hardware Device
- Something you Are i.e., Fingerprints, Facial Recognition
A successful 2FA bypass grants no requirement to verify the second factor or in some cases convincingly tricks a computer into accepting a fraudulent attempt to authenticate.
Why 2FA is Still Important?
Many people reading reports about 2FA bypasses think multi-factor authentication isn’t effective. Although no security control is foolproof, enabling 2FA can significantly reduce overall risk in cyberattacks by:
The majority of cyberattack successes happen because users reuse their passwords, fall for phishing attacks, and do not have multi-factor authentication enabled. Attackers discovering a zero-day bypass is very complicated, and this technique is usually targeted toward a specific platform(s), protocol(s), and/or enterprise environments.
The methods attackers use to bypass 2FA require advanced skill levels, special infrastructure, and an executed plan of attack. While no security control is free of an exploitation opportunity — using 2FA will significantly limit the overall exposure to risk.
Methods Used By Zero-Day 2FA Bypass Attacks
Zero-day two-factor authentication (2FA) bypass attacks vary widely based on the technology targeted. However, most of these attacks can be categorized into several broad types.
Session Token Hijacking
In modern authentication systems, session tokens are created after successful login and two-factor authentication for keeping the user logged in without having to re-login frequently. If an attacker finds a vulnerability that lets them “steal” or “forge” a session token, they’ll be able to access the system without having to do step two (the second factor) again.
This has become increasingly common in attacks against cloud systems and enterprise collaboration platforms.
OAuth and SSO Exploitation
Single sign-on (SSO) systems and OAuth integration simplify the authentication process for users by allowing them to authenticate in one location and gain access to multiple services without logging in to each service separately.
If an attacker finds a vulnerability in the token-validation, redirect-handling, or authorization logic of a SSO or OAuth feature, they can bypass the requirement for authentication altogether. Some malicious applications can trick a user into granting access to a token, which allows them access to the system without second-factor authentication.
As more organizations rely on identity federation to realize the benefits of SSO and OAuth, these vulnerabilities will have larger consequences on a broader scale.
Push Notification Fatigue Exploit
Many authentication systems utilize push notifications for sending a request to a user’s phone, requesting approval for a login. Attackers have discovered a way to exploit human behavior by sending the user repeated requests to log in until the user accidentally approves one of them (logging into the attacker’s account).
Though these may not be actual technical zeros, in some cases, the attackers utilize what is referred to as ‘push fatigue’, which occurs when the attacker can generate a disproportionate amount of approval requests for usage of their application and utilise flaws in the authentication workflow process to automate the approvals or even to delay/generate approvals within an approve only timeframe.
A number of high-profile security breaches have involved hackers overwhelming the user with approval notifications until access has been granted to the attacker.
SIM Swapping and Telecom Risks
Vulnerabilities in mobile telecom networks are still being exploited for SMS/text message based metrics. Attackers are also using shortcomings in the recovery process of telecom networks and hijacking the phone number of their target via various attack vectors.
As soon as the attacker obtains the target phone number, the attacker can receive SMS/text message based ‘verification codes’.
In very few zero-day scenarios, the attackers have utilised flaws found within the mobile carrier’s identity management system that has allowed the unauthorized transfer of the target’s phone number and did not require the attacker to pass any form of standard security protocols.
Browser-based Attacks
Browser-based attacks against the authentication session stored in the user’s browser are a target for malicious users via a virus infection of the user’s computer and via exploitable vulnerabilities within the user’s web browser.
An attacker could potentially exploit an unreported zero-day vulnerability found within the user’s web browser to retrieve an authenticated session through the browser’s memory. This allows an attacker to inherit a trusted session without having to authenticate to the victim (the trusted user).
Such trust relationship based attacks against browser sessions automatically increase the severity of such an attack as many enterprise environments have users accessing multiple cloud services with their browser sessions established through 2-FA processes.
Real-World Examples
In recent years, many sophisticated bypass techniques have been documented by cybersecurity experts and threat intelligence teams.
One key example of an emerging trend is the use of adversary-in-the-middle phishing toolkits. These toolkits provide attackers with fake web pages that function as transparent proxies and allow an attacker to collect username/password/provisional authentication codes from their victims without them realising it.
While phishing kits have been around for a while, advances in phishing kits mean that they can capture the session cookie immediately after a successful authentication, negating the need for two factor authentication because the attacker uses the hijacked session to authenticate.
Another area of increasing concern is the use of identity provider misconfigurations. Verifying proper flow of authentication is oftentimes overlooked during the rapid deployment of integrated cloud services. An attacker will exploit these overlooked areas to establish trust relationships, poor API validations and insecure recovery procedures.
Cybercrime groups that target cryptocurrency exchanges, banks and enterprise cloud accounts often employ multiple types of tactics concurrently, making detection much harder.
Why Attackers Target 2FA Systems?
Ultimately attackers know that Authentication systems are at the core of all modern digital infrastructure and if compromised can provide them with tremendous advantages.
A successful 2FA bypass can provide an attacker with authenticated access to:
- Paid email accounts
- Cloud management consoles
- Financial systems
- Cryptocurrency wallets
- Patient records
- Development platforms
- Customer databases
- Remote access systems
Once the attacker has authenticated access they can appear to be a legitimate user, making traditional security monitoring less effective.
Ways Individuals Can Help Protect Accounts
Users can help protect their accounts against advanced attacks.
For example, to protect your account as an individual, try to follow these best practices:
- Avoid SMS-based authentication if possible to reduce SMS phishing.
- Use authenticator apps or hardware security tokens when possible.
- Enable alerts when a login is successful.
- Always run the latest version of browsers and software on your devices.
- Do NOT approve any unknown MFA request/approval.
- Verify the website URL you are logging into before entering your information.
- Use password managers with unique passwords.
Be cautious about approving any request for authentication. An unusual approval may signal an attack.
What Will Security Look Like in the Future?
As we look to the future of cybersecurity, we see that attackers are increasingly targeting identities for attacks instead of attempting to directly target a network. This shift is in part due to the fact that attacking an identity provides direct access to valuable resources rather than attacking a network.
Zero-day vulnerabilities that allow a bypass of 2FA demonstrate how even our most secure authentication mechanisms have potential weaknesses and bugs. However, they also demonstrate why it is important to utilize multi-layered security mechanisms, implement rapid patching, and continuously monitor your systems and domains, including using current practices when implementing authentication.
As organizations begin to move towards passwordless systems, phishing-resistant MFA, and Zero Trust architectures, the effectiveness of traditional bypass techniques will decrease. Nonetheless, attackers will continue to look for new ways to exploit weaknesses in authentication ecosystems.
Summary
In conclusion, the most severe type of attack used in 2FA bypass are zero day attacks. Zero day attacks leverage unknown or undetectable vulnerabilities, to attack 2FA bypass through one or more vulnerabilities in identity systems, session management, telecom infrastructure, internet browsers, and/or the overall workflow for authenticating users; thereby circumventing the multi-factor protections inherent to 2FA.
Even though cyber threats that bypass 2FA continue there is an overall important reason for using multi-factor authentication and that is to create strong authentication systems. Strong authentication can be achieved by selecting and implementing stronger types of authentication, having layered defenses, actively monitoring identity activity, and implementing phishing resistant technologies.
As cyber threats continue to evolve, authentication security will remain one of the most challenging battlegrounds against protecting digital systems, enterprise infrastructures, and personal accounts around the globe.
