How to Beat 2-Factor Authentication

You may have noticed these fake ‘Log into Google’ pages appearing more and more. They (and equivalents for other services) have very quickly become one of the main ways hackers use to steal other users’ accounts: (look carefully at the URL)

fake google login screen

The usual solution put forward to avoid falling for these is to ‘use 2-factor authentication’. 2-Factor Authentication is very, very good, and everyone should enable it where possible. But… it does not necessarily protect you from attacks using systems like the above. Here’s how a hacker could get around it if they were determined:

  1. The hacker sends an email to someone that redirects them to a fake ‘log in to Google’ page.
  2. At the point the user enters their login details, the hacker’s program automatically attempts to log into Google itself.
  3. If the hacker is presented with a ‘Please enter your code…’ screen, Google will have automatically sent a code directly via SMS to the user. The hacker should therefore present the user with their own ”Please enter your code’ box.
  4. The hacker would then wait for the user to receive the code that Google has sent, and typed it into the hacker’s own “enter your code” box.
  5. The hacker would then use that code to immediately log into Google as the user, defeating the 2-step authentication.

That’s all sneaky, and horrible, but it’s so straightforward that I’m sure it will start happening soon.

3 Factor Authentication? Or ‘Confirmed’ 2 Factor Authentication?

The obvious next step is ‘3-step authentication’ which is: After Google have sent the login code and the user has logged in, they should then text another message to the user’s phone, simply saying ‘Login successful. If you have not just successfully logged in, please reply STOP to this message’.