Let's examine some ways hackers can bypass two-factor authentication systems and what you should do to avoid this from happening.
Just as a hacker can steal a single-factor device, both two-factor pieces can be stolen as well. For example, a simple system might use a user ID and password with a one-time password (OTP) token that generates a new six or eight digit PIN number every 60 seconds. Unlike a static password, which can be used any time, the PIN changes so frequently that it would be impossible for a malicious user to break in after the allotted 60-second time interval. However, both factors can still be stolen. Here's a possible scenario: Someone shoulder surfs and lifts a user's ID and password. They now have one piece of information. Then the same hapless user absent-mindedly leaves their token on their desk and steps away. The unscrupulous shoulder surfer now has both keys to the user's login. It's that simple.
Another way a two-factor system can be broken is by a man-in-the-middle (MITM) attack. This attack uses a proxy server that is set up maliciously between the user's workstation and the authenticating system. A hacker sits on the proxy in real-time and grabs the credentials as they pass by. Once the information has been captured, the hacker can reset the static user ID and password, order a new OTP and take over the account going forward.
A two-factor system using a smart card and PIN could also be compromised if both pieces of the system are stolen. There are ways to pull data from chips embedded in smart cards. All the hacker has to do to complete the job is steal the PIN.
The point here isn't to throw out your brand new two-factor system, just make sure it's monitored, maintained, controlled, inventoried and logged for proper usage. Though it's not as likely as a single-factor system breach, two-factor authentication breaches are possible and can happen.
This was first published in March 2006