Scribd
Upload
114 views2 pages

How Attacker Can Easily Passby 2FA

Token-based 2FA used by many SaaS apps can be bypassed through phishing. Attackers purchase domains similar to targets' and use man-in-the-middle frameworks like Evilginx2 to proxy legitimate logins. This allows capturing login credentials and tokens, bypassing 2FA. Organizations should implement adaptive MFA triggered by unusual signs like new locations, use U2F requiring domain matching to prevent phishing, and conduct security awareness training.

Uploaded by

Ah Yuen
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
Download as docx, pdf, or txt
114 views2 pages

How Attacker Can Easily Passby 2FA

Token-based 2FA used by many SaaS apps can be bypassed through phishing. Attackers purchase domains similar to targets' and use man-in-the-middle frameworks like Evilginx2 to proxy legitimate logins. This allows capturing login credentials and tokens, bypassing 2FA. Organizations should implement adaptive MFA triggered by unusual signs like new locations, use U2F requiring domain matching to prevent phishing, and conduct security awareness training.

Uploaded by

Ah Yuen
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1/ 2

How attacker can easily pass by 2FA – it is no longer secure, and how to prevent

2-Factor authentication has been rolled out in many organizations as their baseline security and was one
of items in top of mind in many CISO. World is changing fast; attackers keep pushing the line to
compromise organization’s security infrastructure. Today, I would like to explain a little bit detail about
how attacker can bypass 2-Factor authentication in digital world.

Firstly, lets’ talk about token-based authentication,


which is widely used in public SaaS apps. Token
based authentication is stateless. Thus, applications
are not storing any information about our user on
the server or in a session. Every single request will
require the token. This token should be sent in the
HTTP header so that we keep with the idea of
stateless HTTP requests. Token-based authentication
provides security and scalability benefits since
tokens stored on client side completely stateless,
and ready to be scaled. Load balancers are able to
pass a user along to any of their servers since there
is no state or session information anywhere. The
token, not a cookie, is sent on every request and
since there is no cookie being sent, this helps to
prevent Cross-Site Request Forgery attacks. 1

SaaS application combines token-based


Authentication with 2 Factor Authentication to
provide strong authentication. However, it is still
vulnerable to well-crafted phishing attack.

Attacker can purchase a domain name which could


be character omission or bit flipping of the target
attack application’s domain.

And then attackers leverage Evilginx2, which is a man-in-the-middle attack framework used for phishing
login credentials along with session cookies, which in turn allows bypassing 2-factor authentication
protection.

1. A phished user received an email and asked to visit the logo page.
1
https://scotch.io/tutorials/the-ins-and-outs-of-token-based-authentication
2. Phishing URL directs user to a fake domain hosted on Evilginx Server, that is a proxy of the
legitimate web applications service logon page. The site content looks the same as the
legitimate web applications service, just only the domain name is slightly different.
3. When user entered the username and password, these will be passed to website via the Evilginx
Server.
4. The web applications service triggers 2FA request to user.
5. User responses to 2FA request.
6. Web applications service verifies 2FA is authenticated
7. Web applications service issues token to user via Evilginx Server.
8. Evilginx Server captured the token and attackers can use the token on another machine to
access resources or services which the user has granted access.

There are couple of ways organization should do to avoid this kind of attack.

1. Implement access broker for cloud app, such as adopt IAM solution on cloud and deploy
conditional access policy for company web /SaaS Web application. In conditional access policy,
IAM should check the status of devices requesting for access whether it is company managed
devices or some unknown devices or check the sign in location i.e. request generated from office
network or off site.
2. Combining other factors on top of merely 2 Factor Authentication to form a Multiple Factor
Authentication.
3. Implement adaptive MFA, which trigger MFA based on dynamic intel such as unfamiliar sign in
location, Tor network etc.
4. Deploy FIDO Alliance’s U2F (Universal 2nd Factor Authentication). What is different with this
form of authentication, is that U2F protocol is designed to take the website's domain as one of
the key components in negotiating the handshake. This means that if the domain in the
browser's address bar, does not match the domain used in the data transmission between the
website and the U2F device, the communication will simply fail. This solution leaves no room for
error.

5. Last but not least, regularly conduct attack simulation to user as part of enterprise security
awareness program.

You might also like