Password authentication is inherently weak, even if you have the strongest password ever. Maybe your password is 25 characters and there is no way it could be cracked – if your account is compromised in a data breach, your password is suddenly meaningless. If you have shared that password between multiple accounts, you are in even more trouble. As penetration testers, it is one of the first things we check for, and the bad guys do, too. Two-factor authentication (2FA) was developed as a way to strengthen password-based login by adding a third layer, and it works really, really well, most of the time. However, during a recent penetration test, the OCD Tech team proved that even two-factor authentication is not the be-all and end-all of user security. It can be bypassed.

It started with the reconnaissance of our target, as most real-world attacks will. With the power of open-source intelligence-gathering tools, and with search engines at our disposal, we compiled a list of email addresses that would be the foundation of a phishing campaign against a client. A review of the in-scope IP addresses revealed a few different websites that were hosting login pages – we noted Citrix, Outlook, and some others that made potential targets for this campaign. We decided to start with their Outlook Web Application login portal.

Our client’s instance of Outlook Web App was not protected by 2FA, which made for an easier starting point. We crafted an email along the lines of, “We’ve had an update. Please login to your account via this link to validate your credentials.” It was prettier than that, of course, and there was some backend work involved, such as registering a convincing domain, standing up our fake OWA login portal, and making sure that our credential-harvesting webpage was functioning as expected. With those steps done, we fired off our phishing email to the list of addresses we had assembled during the recon stage. And then we waited. Ultimately, we received three sets of credentials. Most times, all you need is one.

As luck (and Active Directory) would have it, these credentials were also valid on the client’s Citrix web portal, with one caveat – Citrix was protected by two-factor authentication. More specifically, Citrix was protected by a Google One-Time Password (OTP). We decided to phish for it. We set up a new landing page, a clone of Citrix, that would accept a username, password, and 2FA code. We then emailed only the three users who responded to our first round of phishing, knowing they would be most susceptible to responding again. This method of picking and choosing targets, as opposed to addressing an entire mailing list, is known as spear phishing. Our email this time looked something like this: “Some users have reported issues accessing Citrix following our update. Please validate your Citrix credentials here to ensure your access is not affected. Remember, this must include your Google OTP.” And we waited.

There are a few problems when it comes to phishing for two-factor authentication:

Number 1— If the target’s 2FA service only generates a code when a real login attempt is made, this strategy will fail since the target is logging in to our fake page and will therefore not generate an alert. Google’s OTP, however, is a rolling code that automatically refreshes every 60 seconds. This code lives on the user’s device and is valid whether they are actively trying to login or not. All we needed was for one of the targeted users to enter their current code into our fake login page. With any other configuration, our attempt at bypassing 2FA would have been significantly more difficult, and likely less successful.

Number 2— The code is time-sensitive! If it is not entered within a very limited window of time, authentication will fail.

So, we watched our web server logs, which would provide a live feed of any phished credentials, and we didn’t dare step away from our screens until an hour or so later, after we had gotten three hits. Our hunch was right; the three users who were phished once, were all phished again. The usernames, passwords, and OTPs they provided were accepted by Citrix, and due to the poor security configuration of the Citrix server, we demonstrated for the client complete network compromise while being entirely remote.

How can you protect yourself from attacks like this?

The first step is realizing the root of the problem. Although two-factor authentication can leave a lot to be desired in the way of security, this is not the biggest issue. The problem lies with phishing, and your users’ susceptibility to fall for a phishing attack. Remember, all it takes is one unaware user to result in network compromise.

Phishing can be partially mitigated with a mail filter and robust spam settings, but if one email should slip through, your organization is still vulnerable if your users are not trained in security awareness. The best way to do this is to phish them yourself – familiarize your users with what phishing looks like, train them when they are fooled, and, in the future, they will know what to look for and will know not to click again.

Two-factor authentication, although flawed, is still extremely important. Passwords can be cracked, guessed, or stolen; it happens all the time. Two-factor helps to protect against this; it is one of the best defenses against an attacker trying to break into your account – but its flaws cannot be ignored. Like most things, two-factor authentication is imperfect, and it can be bypassed. This is why you should not rely solely on it to protect yourself. When you stack your defenses, not only with 2FA, but with a staff that will never fall for a phishing email, you stand a far greater chance of withstanding attacks.

Contact OCD Tech if you would like to learn about the security awareness training we offer to help keep your users safe from phishing attacks and check out our free external web breach assessment to understand what the biggest outside risks are to your organization.