Can Two-Factor Authentication be Hacked?

Two-factor authentication (2FA) does not make authentication 100% safe.  There is no magic wand that will make you invulnerable.  However, it does make authentication much safer and harder to breach.

Two-factor authentication can be compromised in several ways.  Some of these are:

  • Someone could gain access to your 2FA device or OTP list (lost or stolen phone, device, or OTP lists).
  • A malicious application (like a trojan horse) that you install on your device steals your 2FA data.
  • Real-Time Phishing (the phisher asks for your OTP, then uses it immediately).
  • Insecure set up (for example, using Google Voice with your SMS based 2FA).
  • Man in the middle attacks (hackers insert themselves between your web browser and the web site, and steal your 2FA credentials as they are transferred).
  • Phishers pretending to be technical support tricking you into disabling your 2FA.
  • Phishers pretending to be you trick your technical or customer service support into disabling your 2FA.
  • Getting access to your 2FA via hacking some other related site (for example, breaching your cell phone provider's web site).

Generally speaking, 2FA greatly increases your security, and is the single most effective security measure after using strong passwords.  While not invulnerable to abuse, it is worth using to greatly increase the security of the digital assets it protects.

Written by Eric Rostetter, Senior System Administrator
Questions or comments? The best and easiest way to contact us is via the CNS Help Desk form.

See also: Security, Toopher