Multi-factor Authentication In-The-Wild bypass methods

Introduction Link to heading

Two-factor authentication (2FA) or multi-factor authentication ( MFA ) is a method to authenticate through a service that requires at least two proofs of recognition.

Today, most cloud services require the typical user to use 2FA methods, such as Google, Microsoft, Okta, and AWS (with some exceptions).

The easiest way to implement 2FA is using a one-time password (OTP). OTPs can be delivered in several ways:

  • SMS message
  • physical OTP device (small display with changing tokens)
  • authenticator app — such as Google authenticator
  • physical device — a card with a specific private key (256 characters long), such as YubiKey

The IT industry puts a lot of faith in MFA, but it’s not bulletproofed. There have been many attacks that bypass this solution over the years, and we’re seeing more now than ever.

There’s no such thing as a perfect login solution that will give a complete match to all companies’ security needs and goals, but there are some MFAs that offer better outcomes.

Bypassing SMS 2FA Link to heading

SMS authentication was once considered among the most secure ways for users who want a quick response time and don’t have access tokens or other physical devices. However, several advanced persistent threat (APT) groups have bypassed this protection with ease.

Compromised Device Link to heading

Some of the more advanced APT groups have infected the victim’s smartphone with information-stealing malware, which then accesses the 2FA SMS messages received from the cloud authentication platform.

The nation-state APT group Rampant Kitten has created a malicious app that steals SMS messages from its victims.

Screenshot from the malicious app

The app records all two-factor SMS messages and forwards the messages to a server controlled by the attacker.

Compromised Telecommunication — SS7 attack Link to heading

Signaling System 7 (SS7) is a telecom communication protocol developed in 1975, in use in 2G and 3G networks.

SS7 Communications

In 2008, security researchers revealed a vulnerability in the SS7 protocol that enabled them to geolocate any phone number. This vulnerability required the attacker to gain access to SS7 network.

In 2014, a new vulnerability was discovered that enabled eavesdropping on cell phone communications (SMS and calls), by requesting that each caller’s carrier release a temporary encryption key to unlock the communication after it is recorded.

The first direct evidence of exploitation of the SS7 network to bypass MFA was in 2018. A German mobile service provider confirmed that attackers exploited this SS7 vulnerability to bypass two-factor authentication in a number of bank accounts, allowing them to withdraw money. The threat actors used a banking trojan to harvest the initial credentials of the victims, and after logging in, they used the SS7 exploit to receive confirmation of the withdrawal amounts and transfer the money.

Are SS7 vulnerabilities still an issue? Absolutely. Link to heading

Although the latest versions of telecommunications — 4G and 5G — have implemented several security measures to prevent vulnerabilities, they must interoperate with 2G and 3G legacy technology.

In 2021, the Global System for Mobile Communications (GSMA) estimated that currently, 30% of telecommunications were still using 2G and 3G networks. As long as those networks are relevant, SS7 attacks are a risk.

Compromised Telecommunication Provider — Sim-Swapping Link to heading

Because implementing telecommunications hacks such as SS7 exploitation can be quite complicated, many recent hackers don’t even bother to exploit such vulnerabilities — they are trackable and easily identifiable.

Sim-swapping is an attack in which attackers gain access to a telecommunication provider. One way is by social-engineering the providers’ worker to change the phone number to the attacker’s sim card. Alternately, attackers can sim-change the internal platform, and redirect all communications from the legitimate phone number to the attacker-controlled sim card.

Since the compromised victim has no awareness of this attack, and the attacker can redirect any phone number to the desired location, this method is the most popular for sim-swappers.

LAPSSUS$, a cybercrime group that published internal information of major software companies such as Microsoft, Nvidia, and Samsung, has used this method to bypass 2FA logins using SMS redirections. A leaked conversation revealed the group gained access to an internal tool of T-Mobile and specifically targeted the company’s employees in order to access an internal platform to conduct such sim-swaps.

LAPSUS$ leader ‘White’/’Lapsus Jobs’ looking up the Department of Defense in T-Mobile’s internal Atlas system.

Atlas system, an internal tool at T-Mobile, was used by the cybercrime group for sim-swapping.

As the demand for sim-swapping is growing, darknet/Clearnet markets have popped up to sell sim-swapping as a service:

Taken from telegram marketplace for sim-swappers

Taken from the Russian marketplace

Taken from Russian marketplace, translation from Google Translate: [HR1]

I do Sim Swap of any operators USA I make a swap only for the withdrawal of crypto and that’s all, for banks and for other purposes I do not make a swap I am looking for people with logs or with accounts, I work 50 to 50 For swap you only need a number and everything Kidals (scammers?) in the woods In LS (PM?) throw (send?) your Telegram accounts

Bypassing OTP 2FA (Authentication-Apps/physical tokens) Link to heading

SMS 2FA authentication methods are the easiest to bypass, That being said, bypassing other methods is a bit more complex but certainly doable.

Phishing — oldie but goldie Link to heading

Old methods such as phishing did not work for bypassing 2FA as is. This led attackers to evolve and create new methods to bypass 2FA on their phishing sites.

The new attack is called “RealTimePhishing.” With this method, the attacker relays the credentials and the 2FA codes to a designated server, which then sends a request in real-time to the legitimate service (server?) to authenticate.

“RealTime phishing”

The flow of the attack is as follows:

  1. the victim enters the user name and password credentials into the phishing site
  2. the phishing server sends a legitimate request to the legitimate site using the victim’s credentials
  3. the legitimate site sends a 2FA code to the victim
  4. the victim types in the phishing site the 2FA
  5. 2FA is forwarded to the legitimate site
  6. the legitimate site sends a session cookie to the attacker

This method only works if the flow is fluent, and the legitimate site does not block requests from the malicious server.

Automating 2FA Bypass — Phishing Link to heading

Like every concept in cyber security, automation for such operations has been built.

One such automation is called Evilngix2, a tool used to create automatic 2FA bypass phishing templates.

The server is configured to imitate legitimate login sites such as:

  • LinkedIn
  • Okta
  • Microsoft Office 365
  • and many more 7 All the user needs for set-up is a valid registered domain name (, and if possible, it will enable SSL on the site.

Running the tool inside a docker

The tool will create a subdomain of choice, and host a phishing template (or phishlet) of the desired legitimate site.

The phishing site will try to authenticate by using the user’s credentials and OTP to steal the token (cookie).

Physical Bypass Link to heading

Physical 2FA authentication devices are the most secure way to keep your data private since users don’t have access when not connected.

Regardless of this layer of security, physical vulnerabilities in 2FA providers like Yubikey and Google Titan were discovered in 2021 by researchers, who were then able to copy an exact replica of the Key using a side-channel attack.

What is Side-Channel Attack? Link to heading

“A side-channel attack does not target a program or its code directly. Rather, a side-channel attack attempts to gather information or influence the program execution of a system by measuring or exploiting the indirect effects of the system or its hardware. Put simply, a side-channel attack breaks cryptography by exploiting information inadvertently leaked by a system. One such example is the van-Eck phreaking attack, which is also known as a Transient Electromagnetic Pulse Emanation Standard (TEMPEST). This attack monitors the electromagnetic field (EMF) radiation emitted by a computer screen to view information before it is encrypted.” — Rambus Electronics

If those words above confuse you, you are not alone — this attack is highly complicated! The researchers authored a 60-page report on this attack and explained that it requires very specific equipment, including a lab environment.

The lab used in the research

This attack method is unlikely to occur, but it is still a vulnerability worth considering.

Going Forward — Password-Less Sign-In Link to heading

The main security issues are basically with passwords getting passed around, and ending up in the wrong hands.

The FIDO Alliance, which is an agreement between the major software companies, including Google, Microsoft, Meta (Facebook), and Apple, has taken steps to resolve these issues by pushing forward a new authentication method that will require users to use their phone as a physical token.

Authentication is made by physical confirmation of the user’s identity. Physical confirmation can be achieved by two main secured methods:

  • Face ID
  • Fingerprint

With this method, the users themselves are not trusted, but their biometric characteristics are — this method removes entirely the human factor of the authentication (the weakest link of authentication, for now…).

Thanks to Omri Segev Moyal