Two-factor authentication is a commonly used method to minimize the risks of password phishing attacks. However, 2FA itself has the potential to be spoofed and bypassed by an attacker, according to security awareness and training vendor KnowBe4.
In publicly posted video, Kevin Mitnick, chief hacking officer at KnowBe4, demonstrates a method by which he was able to bypass 2FA protection. Mitnick demonstrates how a spoofed login page for a 2FA protected service can be used to trick users into inputting their username, password and 2FA credentials. In the attack, Mitnick was able to use the same session ID token generated from the spoofed site to gain access to the legitimate site.
“This particular 2FA bypass isn’t new, and KnowBe4 didn’t discover it,” Roger Grimes, data-driven defense evangelist at KnowBe4, told eWEEK.
However, while KnowBe4 didn’t discover the 2FA bypass approach, it is doing its part to raise awareness around the issue, Grimes said. There are multiple scenarios where social engineering attacks, like the one demonstrated in the Mitnick video, can be used to bypass 2FA protections, he said.
“You’ll hear a lot of people say that 2FA is the solution to defeat phishing, and while using 2FA can help defeat some, simple forms of phishing, it doesn’t come close to stopping all forms of phishing and social engineering,” Grimes said.
Grimes explained that the 2FA bypass isn’t necessarily a bug in 2FA but rather is about attackers still being able to exploit the weakest link, which is often the user. The 2FA attack that Mitnick demonstrated has been around in its current form for several years, Grimes said, though he added that what’s relatively new is the Evilginx tool that Mitnick used. Evilginx is an open-source man-in-the-middle (MiTM) framework that enables researchers to phish the credentials and session cookies from a web service.
“There are some scenarios that Evilginx and similar attacks may not work on, but it’s more important to realize that there isn’t a 2FA scenario that can’t be hacked one way or another, and sometimes it’s as simple as sending a phish email,” Grimes said.
How It Works
The way the Evilginx 2FA bypass works, Grimes said, is that a user’s submitted authentication information, including 2FA proofs, is sent to the legitimate website. The attacker is then able to intercept the approved session authentication token/cookie the site sends back to the user after successfully being authenticated to the real site.
“The interesting hack in this scenario is that we tricked the user into giving out their authentication information to a fake, look- and sound-alike website, which was our evil proxy,” he said. “It then took that information and pretended to be the originating user and sent that information to the real website.”
The real website had no idea or way of knowing that the proxy was not the originating client, Grimes said. He added that in some real-life scenarios, the legitimate website might be able to tell that the authentication request is originating from what it thinks is a new terminal and request the user to verify that the terminal he or she is using is the intended one.
There are multiple ways to mitigate the 2FA bypass risk, though Grimes believes user education on phishing is the key. If a user notices he or she is being directed to a fake web site, the attack would be thwarted, he said.
“Learn to recognize and avoid responding to phishing emails, that’s essential and key,” Grimes said.
Another way to limit the risk is by requiring a strong authentication method, like the FIDO authentication U2F (Universal Second Factor) approach.
“Most web sites offer multiple authentication methods to fit different user scenarios, so if it allowed FIDO but doesn’t require FIDO, the user’s session can still be downgraded and stolen,” Grimes said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.