KnowBe4 Details Two-Factor Authentication Spoofing Bypass Risks

Two-factor authentication can minimize some password security risks, though KnowBe4 warns that hackers can use social engineering attacks to bypass the added protection. Two-factor authentication is a commonly used method to minimize the risks of password phishing attacks. However, 2FA itself has the potential to be spoofed and bypassed by an attacker, according to security awareness and training vendor KnowBe4. In publicly posted video, Kevin Mitnick, chief hacking officer at KnowBe4, demonstrates a method by which he was able to bypass 2FA protection. Mitnick demonstrates how a spoofed login page for a 2FA protected service can be used to trick users into inputting their username, password and 2FA credentials. In the attack, Mitnick was able to use the same session ID token generated from the spoofed site to gain access to the legitimate site. However, while KnowBe4 didn't discover the 2FA bypass approach, it is doing its part to raise awareness around the issue, Grimes said. There are multiple scenarios where social engineering attacks, like the one demonstrated in the Mitnick video, can be used to bypass 2FA protections, he said. You'll hear a lot of people say that 2FA is the solution to defeat phishing, and while using 2FA can help defeat some, simple forms of phishing, it doesn't come close to stopping all forms of phishing and social engineering," Grimes said. Grimes explained that the 2FA bypass isn't necessarily a bug in 2FA but rather is about attackers still being able to exploit the weakest link, which is often the user. The 2FA attack that Mitnick demonstrated has been around in its current form for several years, Grimes said, though he added that what's relatively new is the Evilginx tool that Mitnick used. Evilginx is an open-source man-in-the-middle (MiTM) framework that enables researchers to phish the credentials and session cookies from a web service. "There are some scenarios that Evilginx and similar attacks may not work on, but it's more important to realize that there isn't a 2FA scenario that can't be hacked one way or another, and sometimes it's as simple as sending a phish email," Grimes said.