Bypassing Two-Factor Authentication – What you need to know!

Hacker Kevin Mitnick and several other hackers already demonstrated that Two-Factor Authentication can be bypasses via pishing and other techniques. Before you going to panic here are the important information what you should do.

Picture Source: GBhackers


Most bypasses requires an exploit or a weakness in the implementation, which means if you’re unsure just don’t open the eMails or the attachments in order to not run into a security problem. The main challenge with implementing two-factor authentication is enforcing a policy that employees may consider inconvenient.


  • If the login field looks strange (fake login page) just don’t use it at all
  • Check the URL and if it’s visible, obfuscated links via tinyurl are usually indicators that this is a fraud
  • If you’re on a mobile app ensure that you really not an eMail, most attacks on mobile devices are app related. If you requested a code and you won’t get an valid eMail with your code but the app shows you a code then this means it’s fake
  • iOS has in general more pishing attacks around 63% in total, which means you should check twice often if it’s not a fraud
  • Ensure that your Browser always shows the full URL – not just a shortened URL, this can often be enabled in the configuration
  • Ensure you don’t have any Malware apps installed (mobile/Desktop). SImply use as less as possible apps and only the one from trusted sources with ‘legit’ reviews and if possible code audits
  • If someone tells you to disable 2FA in order to use their services, then this is also a fraud, see the last story reported here.
  • Don’t allow any support to remote desktop you no matter what, if possible check if there not other ways to help you.

An attack begins when a phishing link is distributed to the target, using a fake version of a page that they know the target will be interested in. One popular example is something embarrassing or sensitive, such as messages suggesting someone’s photos have been revealed somewhere online. Another would be a concerning message sent internally or shared via e.g. Facebook, that the target’s salary might have been published somewhere online.

Regardless of the specific technique used, the hacker will eventually find a way to divert the target to a fake login page for the desired service in this case Google. This landing page is a very accurate copy of the Google login page, and even traditional phishing detection methods may not work.

On mobile, this is amplified, with user attention typically less focused and other unique factors also playing a role: such as the smaller screen size and the obscured domain information. Even observation of the URL may not always be sufficient for detection. Many modern mobile phishing attacks make use of ‘blank’ emoji in the domain name ( will show as invisible in lots of browsers) and an increasing number have taken advantage of free certificate services to make sure that even these phishing pages are hosted on supposedly ‘secure’ and registered domains.

Closing Words

These are some small steps and a little overview what is possible and what should you avoid in order to stay away from the pishing attacks. In most cases you already see that the URL is altered, some points are added or other strange characters. It’s also important to notice that some modern Browser blocking invisible charcaters which means this is just another reason to stay updated as much as possible, other Browsers are weak against such kind of attacks.