Hackers are not lazy, they evolve fast, so relying on old security measures is a terrible idea. Today we will look into how secure two-factor authentication is in general, what methods are used to hack 2FA and up-to-date ways to protect yourself against those account hacks. Finally, you will get answers to the most recurrent questions on 2FA security. How secure is two-factor authentication? Is two-factor authentication safe? All accounts (emails, apps, online stores, etc.) are protected with a user password, it’s been done that way for ages. Unfortunately, passwords like “123456”, “qwerty” and “password” have been the most used ones for ages too. They still are, however mind-boggling that is. 2FA authentication adds a second layer to the common user password protection. The second security factor can be either something you have (your cellphone or hardware OTP token) or something you are (your fingerprint). In addition to something you know (the password), it creates another way for the server to confirm you are who you say you are. So an account protected with dual authentication is much harder to hack into, even if the user password is easy to compromise. The strengths of one factor surpass the vulnarability of the other. But is two-factor authentication hackable? It is if you let it. Let’s take a look at how. How would hackers bypass two-factor authentication system? 1. Real-time phishing 2FA was created to fight against phishing as a login weakness. Lo and behold … the hackers come up with a new two-factor authentication hack — real-time phishing. A fake website that looks exactly like its legitimate counterpart is set up. Then the hacker sends the target an email prompting them to login for whatever reason (account expiration, some action needed to be taken etc). The user goes to the login page, which looks and works exactly like the one the user expects to see, they log in using their user password. Then the fake website asks for the second factor, just like the legitimate one would, the user complies and enters the OTP (one-time password) and the phishing website captures both passwords. In the background, the hacker has a few seconds to use the combination to get into the real account. 2. Social Engineering This is a popular social engineering scheme — a criminal impersonates the target’s bank or a service provider, there have been accidents when a crook impersonated even a law enforcement agent and tricks the user to disclose the OTP. However, many warnings are issued, however often the account providers tell their customers to never trust such calls, social engineering attacks are still very successful. 3. Man in the middle and man in the browser attacks Man in the middle attack implies that the hacker inserts himself in the middle of the two systems’ communication. This can be done either with a fraudulent cryptographic certificate, inserting fake root certificates in the target’s browser database of trusted certificates, or by compromising a root certificate authority listed in the database. As a result, two connections are created — client-attacker and attacker-server, instead of a single client-server one. Once the connection is intercepted the hacker can read and modify the transactions done via the connection. Man in the browser uses a Trojan horse to intercept and manipulate the transactions on-the-go as they are made in the browser. With this attack the browser’s display is falsified, the user sees their intended transaction. In both attacks, the user won’t notice anything amiss. 4. SMS authentication issues The main SMS 2FA weakness is the dependency on the service provider. The practice of reusing mobile phone numbers is a distinctive risk. If your...