KnowBe4 Reveals Two-Factor Authentication Spoofing Bypass Risks | eWeek

KnowBe4 Details Two-Factor Authentication Spoofing Bypass Risks

Phishing attacks
May 10, 2018
3 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

Two-factor authentication is a commonly used method to minimize the risks of password phishing attacks. However, 2FA itself has the potential to be spoofed and bypassed by an attacker, according to security awareness and training vendor KnowBe4.

In publicly posted video, Kevin Mitnick, chief hacking officer at KnowBe4, demonstrates a method by which he was able to bypass 2FA protection. Mitnick demonstrates how a spoofed login page for a 2FA protected service can be used to trick users into inputting their username, password and 2FA credentials. In the attack, Mitnick was able to use the same session ID token generated from the spoofed site to gain access to the legitimate site.

“This particular 2FA bypass isn’t new, and KnowBe4 didn’t discover it,” Roger Grimes, data-driven defense evangelist at KnowBe4, told eWEEK.


However, while KnowBe4 didn’t discover the 2FA bypass approach, it is doing its part to raise awareness around the issue, Grimes said. There are multiple scenarios where social engineering attacks, like the one demonstrated in the Mitnick video, can be used to bypass 2FA protections, he said.

“You’ll hear a lot of people say that 2FA is the solution to defeat phishing, and while using 2FA can help defeat some, simple forms of phishing, it doesn’t come close to stopping all forms of phishing and social engineering,” Grimes said.

Grimes explained that the 2FA bypass isn’t necessarily a bug in 2FA but rather is about attackers still being able to exploit the weakest link, which is often the user. The 2FA attack that Mitnick demonstrated has been around in its current form for several years, Grimes said, though he added that what’s relatively new is the Evilginx tool that Mitnick used. Evilginx is an open-source man-in-the-middle (MiTM) framework that enables researchers to phish the credentials and session cookies from a web service.

“There are some scenarios that Evilginx and similar attacks may not work on, but it’s more important to realize that there isn’t a 2FA scenario that can’t be hacked one way or another, and sometimes it’s as simple as sending a phish email,” Grimes said.

How It Works

The way the Evilginx 2FA bypass works, Grimes said, is that a user’s submitted authentication information, including 2FA proofs, is sent to the legitimate website. The attacker is then able to intercept the approved session authentication token/cookie the site sends back to the user after successfully being authenticated to the real site. 

“The interesting hack in this scenario is that we tricked the user into giving out their authentication information to a fake, look- and sound-alike website, which was our evil proxy,” he said. “It then took that information and pretended to be the originating user and sent that information to the real website.”

The real website had no idea or way of knowing that the proxy was not the originating client, Grimes said. He added that in some real-life scenarios, the legitimate website might be able to tell that the authentication request is originating from what it thinks is a new terminal and request the user to verify that the terminal he or she is using is the intended one. 

What Should Users Do?

There are multiple ways to mitigate the 2FA bypass risk, though Grimes believes user education on phishing is the key. If a user notices he or she is being directed to a fake web site, the attack would be thwarted, he said.

“Learn to recognize and avoid responding to phishing emails, that’s essential and key,” Grimes said.

Another way to limit the risk is by requiring a strong authentication method, like the FIDO authentication U2F (Universal Second Factor) approach.

“Most web sites offer multiple authentication methods to fit different user scenarios, so if it allowed FIDO but doesn’t require FIDO, the user’s session can still be downgraded and stolen,” Grimes said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.