Ask the Expert

How hackers can bypass two-factor authentication systems

If our network system is protected with two-factor authentication, is there still a risk of theft of user credentials?

    Requires Free Membership to View

Absolutely. Two-factor authentication systems cannot protect your network from all evil. While they provide an extra layer of protection and help slowdown attackers, they cannot stop intruders altogether.

Let's examine some ways hackers can bypass two-factor authentication systems and what you should do to avoid this from happening.

Just as a hacker can steal a single-factor device, both two-factor pieces can be stolen as well. For example, a simple system might use a user ID and password with a one-time password (OTP) token that generates a new six or eight digit PIN number every 60 seconds. Unlike a static password, which can be used any time, the PIN changes so frequently that it would be impossible for a malicious user to break in after the allotted 60-second time interval. However, both factors can still be stolen. Here's a possible scenario: Someone shoulder surfs and lifts a user's ID and password. They now have one piece of information. Then the same hapless user absent-mindedly leaves their token on their desk and steps away. The unscrupulous shoulder surfer now has both keys to the user's login. It's that simple.

Another way a two-factor system can be broken is by a man-in-the-middle (MITM) attack. This attack uses a proxy server that is set up maliciously between the user's workstation and the authenticating system. A hacker sits on the proxy in real-time and grabs the credentials as they pass by. Once the information has been captured, the hacker can reset the static user ID and password, order a new OTP and take over the account going forward.

A two-factor system using a smart card and PIN could also be compromised if both pieces of the system are stolen. There are ways to pull data from chips embedded in smart cards. All the hacker has to do to complete the job is steal the PIN.

The point here isn't to throw out your brand new two-factor system, just make sure it's monitored, maintained, controlled, inventoried and logged for proper usage. Though it's not as likely as a single-factor system breach, two-factor authentication breaches are possible and can happen.

This was first published in March 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: