Does Two-Factor Verification Protect Companies from Phishing Attacks?

May 10, 2018


Two-factor – or multi-factor – verification is a simple control that makes it tougher for illegal people to gain access to accounts and confidential data. Instead of just use a single factor for verification such as a password, an extra factor is needed, typically something a person has.

This might be a card reader, which is frequently used by banks for proving the individuality of a person who desires to make a transfer request, even though most usually it is a mobile phone. After inserting a password, a code is transmitted to the mobile phone. That code is needed to gain access to an account. This makes sure that theft of a password – or predicting of a password – will not, by itself, let the account to be accessed.

Can Two-Factor Verification Defend Companies from Phishing Attacks?

There have been several data breaches caused as a consequence of workers revealing their passwords, often via phishing attacks. In several cases, the use of two-factor verification would have avoided those phishing attacks from working.

Applying two-factor verification is a swift and easy method of improving safety; nevertheless, it is not reliable. It is also not essential for an attacker to get a password and the appliance used for the second method of verification.

The easiness of bypassing two-factor verification was shown later in a video from Knowbe4’s Chief Hacking Officer Kevin Mitnick. In the video, he shows an activity that can be used to bypass two-factor verification and gain access to a user’s account, in this event, their LinkedIn account.

In the show, a user is sent an electronic mail from LinkedIn requesting a person to add as a contact. The electronic mail matches a true communication from LinkedIn, separately from the domain. In this instance, the domain is the same as the actual domain aside from a single letter.

Connecting the link in the electronic mail directs the user to a spooked LinkedIn site and an appeal to enter the username and password. When the login identifications have been entered the user is sent a verification code to a mobile phone. The code is entered through the phishing website, and the user is guided to the actual LinkedIn account. Unknown to the user, a successful phish has happened.

Via the deceived website, the username and password have been seized, and so to the session cookie. With the session cookie, the attacker can log in to LinkedIn without the need for a username, password, or two-factor verification code. Anytime the attacker desires to access the account the session cookie can be used, without the requirement for any more identifications.

Therefore, can two-factor verification safeguard companies from phishing attacks? Indeed. In some instances, it can, however not always. It is for that reason important to make sure that the whole staff is taught to be more safety conscious and gets training on the safety checks that should always be executed before replying to any electronic mail request.