Why 2FA and MFA are not absolute solutions to password compromise

Written by Ian Tinney

March 21, 2022

Two-factor and multi-factor authentication mechanisms can be breached or bypassed. We look at why speedier detection might be more effective.


Two-factor (2FA) and multi-factor authentication (MFA) provide an extra layer of defence to protect your passwords, but I’d argue that they can provide a false sense of security. Not only would you need to apply them verbatim across every service you use, which is unrealistic for many people, but not all services make them available. 2FA and MFA can also be circumvented in a number of ways. So, given these mechanisms have been found wanting, what can be done? 

As its name suggests, 2FA requires an additional method of authentication after you enter your username and password. The user is prompted to reauthenticate via a text message, email, authentication software (i.e., Google or Microsoft Authenticator) or a biometric identifier, i.e. face, voice or fingerprint. MFA simply demands more than two forms of authentication, but its use is not widespread because it presents this additional access barrier.

Ways to own 2FA

Attackers seek to capture 2FA once they already have your password. One of the most common methods is SIM fraud which sees the attacker order a replacement SIM card delivered to their address from your telco provider, allowing them to take over your phone and then use 2FA to send them the single-use passcode to your accounts. Twitter’s CEO, Jack Dorsey, is just one of the many who have succumbed to a SIM Swap attack back in 2019.

Time-based authentication used by authentication software is often regarded as more secure, with a Time-based One Time Password (TOTP) typically allowing you ten minutes to use the passcode before it expires. But malware has been found on Android devices that is capable of copying and forwarding these codes to the attacker.

Even biometric identification can be hacked or leaked, as proven by the data breach of the Suprema Biostar 2 security platform in 2019. This housed more than 27.8 million biometric records as well as usernames and passwords, potentially meaning the biometric data could be replicated and used to obtain access to other systems in combination with these credentials.

But obtaining access to 2FA doesn’t even need to be that sophisticated. Brute force is still an option because these codes are typically only 4-6 characters. Worse still, they’re usually restricted to numbers, making it relatively simple to enumerate codes using modern rigs.

Sidestepping 2FA

In some cases, the attacker can simply choose to bypass 2FA altogether. Take the recent example of the John Doe, who had 2FA enabled on his Twitter account but then began to see tweets appearing on his feed. It turned out that because he had linked his website to his Twitter account, resulting in the API key being insecurely stored on the webserver. With ownership of the app key, the attacker didn’t even need to worry about 2FA.

In fact, there are multiple ways of simply missing 2FA out of the authentication process. Attackers can use the password reset function, for example, and request and use a new password token, provided 2FA is not on the log-in page following the reset process. Or, if the website presents the option to use OAuth (which allows you to log in to a service using your existing Facebook or Gmail account), you can simply use those stolen credentials, making it irrelevant that the new site has 2FA.

Insider threats are also a real issue. Last year saw the compromise of 130 genuine Twitter accounts belonging to politicians, billionaires, celebrities and businesses, including those of Elon Musk, Bill Gates, Jeff Bezos, Barack Obama, Joe Biden, Kanye West, Kim Kardashian, Mike Bloomberg, Uber, Apple and even Twitter’s own official support account.

This notorious hack was achieved by attackers gaining access to an internal tool at Twitter used to manage user accounts. Reports differ over whether the insider was bribed or manipulated in a social engineering attack, with Twitter claiming the latter, but it’s by no means an unusual vector. Loss of credentials is the main outcome of social engineering attacks, whereby techniques are used to manipulate a human target to gain access to data, according to Verizon’s 2021 Data Breach Investigations Report (DBIR). It found 85% of breaches involve a human element, with 61% resulting in credential compromise.

Future implications

So, are 2FA and MFA still relevant? They’re undoubtedly useful given that, in the event that your credentials are compromised, the attacker will still need to overcome an additional barrier. Steps are now being taken to improve the way they operate, with Telco’s asking for ID when SIMs are requested, and platforms such as Twitter are now looking to beef up 2FA using browser to hardware authentication.

But realistically, you’re not going to activate these mechanisms on all the platforms and services you use, either due to time constraints, user apathy or lack of their availability. This means you will inevitably end up with gaps in your password management, with that risk then magnified by password reuse. 

It’s also worth reiterating that 2FA and MFA do nothing to prevent or detect the initial compromise of credentials, and when a breach of them does occur, it’s when these usernames and passwords are already known. With those credentials floating about in the ether, you could argue that it’s only a matter of time before a breach occurs. 

Regarding consumers, is it really a reasonable expectation that the elderly or people with poor IT skills will understand how to implement good password practices or cope with MFA? 

Lead with speed

The next best thing to prevention is detection.

Speedily detecting credential compromise is the only way to combat exposure as it limits the window of opportunity. Knowing when these details have been leaked or lost ensures that action can be taken, with users alerted to the risk, made aware of where the leak occurred, how much of their personal information was made available and what they should do.

Trillion from Threat Status is a commercial breach detection system that gives organisations this early warning system. Its database of 10,000 breaches containing over 10.5 billion user credentials is continually updated 24×7 so that when employee usernames and passwords appear, an alert is generated, risk scored and flagged to the security team, who can then escalate and remediate.

And for those organisations that have consumers as customers, Arc can be used to provide their customers with notification of when access has been attempted using both their username and password, making it far less likely that 2FA/MFA will be circumvented.

To find out how Trillion can bolster password management or how Arc can help afford your customers greater protection, contact us at info@4datasolutions.com or on 0330 128 9180.

Follow Us