top of page
24. Sept.4 Min. Lesezeit

Hacked despite 2FA? -> Passkey is the future


Passkey
Passkey - the secure way to log in!

In the meantime, everyone should (hopefully) have understood that simple passwords are just as protective as no password at all. That's why many people use 2-factor authentication. What many people haven't realized, however, is that even accounts with 2-factor authentication (2FA) can sometimes be hacked. Despite the security improvements with 2FA and the use of a complex password, quite a few social media accounts (including Facebook) have been hacked in recent months.


How?

Two-factor authentication increases security considerably, but is not infallible - especially if 2FA is done via SMS. Here are some reasons and explanations:


  1. Phishing attacks : We have used phishing techniques ourselves in phishing tests where we were able to successfully trick users into entering their login information and the subsequent 2FA code on a fake website. So if you are quick enough (and you can see live when the 2FA token is entered), you can log in while the "real" user is still on the fake site and sees the message that something went wrong... Once you are in, you have very quickly set up your own device for 2FA and the real owner has lost his account forever.

  2. Man-in-the-Middle Attacks (MitM) : In this type of attack, an attacker sits between the user and the real website, waits for input, monitors the data transfer, and thus intercepts the data transmitted between the two, including the 2FA code.

  3. Account takeover via SIM swap : In this case, a hacker takes control of the victim's phone number, usually through social engineering or by cloning the SIM card. Once the hacker has control, the 2FA codes that are sent via SMS land directly on their device.

  4. Using already compromised devices : Of course, it is also relatively easy to obtain the 2FA codes if one of the user's devices (e.g. the notebook or smartphone) is already infected with malware. This means that an attacker can not only theoretically record all information entered or displayed on this device, including 2FA codes. If necessary, they can also take screenshots of the screen content or even broadcast live what is displayed on the screen.

  5. Backup codes : It is not uncommon for users (we see this happen time and again with customers) to save their backup codes for 2FA in unsafe places or even share them. If an attacker gains access to these codes, they can use them to log in. This is exactly what these backup codes are designed for. If you no longer have access to 2FA for any reason, you can reset it using backup codes.

  6. Error in the provider's login system (in this specific case, the example of Facebook): A bug in a new 2FA login system that Meta developed for them allowed cybercriminals to simply bypass the account's 2FA protection simply by knowing the victim's phone number. How? Meta had neglected to set a limit on the number of attempts. Using the victim's phone number, an attacker could log into the centralized "Accounts Center", enter the victim's phone number, link this number to their own Facebook account, and then crack the two-factor SMS code using brute force methods. And since there was no upper limit on the number of attempts, the brute force attack could take as long as desired. As soon as the attacker had the right code, the victim's phone number was linked to the attacker's Facebook account. A successful attack results in Meta sending a message to the victim stating that two-factor protection has been successfully disabled because their phone number has been linked to someone else's account.



How can I best protect myself from such attacks?

The key word is passkey. Unfortunately, this method is not yet supported by all systems and portals, but it is gaining ground.


But what exactly are passkeys?

Passkeys are a new way to log into apps and websites. Passkeys are designed to provide a simple, significant improvement in online security. Instead, passkeys allow users to log into apps and websites the same way they unlock their devices: with a fingerprint, facial scan, or screen lock PIN. And unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than the SMS one-time codes mentioned earlier.


How passkeys work

Unlike the traditional method where users create a password themselves (or have it generated by a password manager), with Passkeys, the user's device generates a unique pair of mathematically related keys during account creation on a WebAuthn-enabled service. The public key, which is not confidential, is stored on the service's servers, while the private key remains on the user's device.

Industry giants such as Google, Apple, Microsoft and others under the banner of the FIDO Alliance have supported Passkey technology, indicating a strong industry inclination towards this more secure authentication solution. 1Password (password manager) has also already announced support, making it much easier for non-IT people and those without technical knowledge to securely protect their accounts.


A few more tips to increase your own safety


  • As mentioned above, use passkeys instead of traditional logins wherever possible and supported.

  • If Passkey is not available, always use physical tokens or authentication apps such as Microsoft Authenticator, Google Authenticator or Authy and avoid SMS-based 2FA altogether.

  • Always make sure you are on the real site and not a phishing site before entering login credentials.

  • Regularly check your devices for malware and make sure you always have the latest security patches installed.

  • Always be very cautious when receiving emails, texts or calls from alleged service providers asking for personal information.


For tips on recognizing phishing attacks, see our free cheat sheet.



bottom of page