Ethical hacking: Top 6 techniques for attacking two-factor authentication


Two-factor authentication (2FA) has been renowned for some time now for the security it can bring to organizations. The combination of something you know, something you have and something you are is the heart and soul of 2FA and helps explain its relative security strength. 

Despite this fact, attackers are known to have several ways to successfully attack 2FA, and as an ethical hacker, it is your job to understand these potential attacks. This article will detail the top six techniques for attacking 2FA and present you with an all-around picture for the kind of 2FA attackers you can expect to encounter when working as an ethical hacker.

What is two-factor authentication?

2FA is a method of authentication that brings an extra dish of security with it to the proverbial information security potluck. Instead of relying solely on the traditional combination of a username and password, 2FA schemes require that users authenticate with the following:

  • Something you know: Password, PIN, etc.
  • Something you have: Smart card, USB token, etc.
  • Something you are: Voice, iris, fingerprints, etc.

There are two ways to authenticate:

  • One-way: This is the most common type of authentication. This is a server-only/client-only method, with server-only authentication being the most used
  • Two-way (mutual authentication): Both client and server must authenticate with this method. It is not as common as one-way authentication but is more secure

Top 6 techniques for attacking two-factor authentication

1. Social engineering

Without a doubt, the top technique to attack 2FA is social engineering. 2FA relies heavily on knowledge that is only known by the user and when a website or service that uses 2FA is seemingly not working, users naturally reach out to tech support. Attackers have been observed socially engineering tech support in order to get the user to reset their (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: