Is two-step authentication always secure? So they can break it
Why they can skip the 2FA
The two-step authentication is an extra safety barrier we can add to our accounts. For example, protect email or any social network. It is a code that we can receive by SMS or through an application and that serves to identify us. The problem is that an intruder could exploit this method, as we will see. Even social engineering could attack 2FA.
Theft of the mobile
The first thing that can happen is that our mobile phone is lost or stolen. If someone had access to our device, they could automatically control all the applications and logins that we have configured. You could easily read any SMS we receive and see what the 2FA code is.
To avoid this problem, it is best to always have your mobile protected with a good password. But also, as soon as you lose the device or suffer a theft, the ideal is to call the operator to have the phone number canceled. In this way, we will avoid that an SMS with the code can end up in the wrong hands.
But even without physically stealing the phone, they could also read the SMS. There are attacks such as SIM Swapping, which basically consists of the attacker calling the operator posing as the victim and thus receiving a SIM card at their address.
This method is complicated since luckily the filters of the operators are very important and it is not easy for them to happen. However, the truth is that there have been attacks of this type in other countries and it is one more strategy to steal 2FA codes.
It could also happen that our device is affected by malware. For example, there are mobile Trojans that are designed to record the SMS we receive and to read them and send them to a server controlled by the attacker.
This would logically allow reading text messages with two-step authentication codes. For this reason, it is essential to protect the equipment, have a good antivirus, and always update everything to solve any possible vulnerability that appears.
One more method is simply to use brute force. This is not always possible, since there are limits and mechanisms that will prevent this from happening in most cases. However, it is yet another possibility that also jeopardizes the effectiveness of two-step authentication.
Brute force basically consists of trying over and over the different possible combinations until you find the right one. Attackers can use computer tools to do this.
Ultimately, these are some options that exist for which two-step authentication may not be effective. It is essential at all times to be protected and to use the services available correctly to reduce risk.