Two-factor authentication (2FA) is an essential safety measure that stops unauthorized access to an account. It was invented to provide an additional layer of security to the usual log-in procedure of providing one’s username and password, which is now considered by many as obsolete and unsecured.

A common example of 2FA in action is when you attempt to log in to a familiar site from a different machine or location. When you try logging in, the 2FA protocol kicks in and sends you an SMS with a verification code that you need to enter to complete the log-in procedure.

Yet despite its numerous applications and popularity, 2FA isn’t a silver bullet in thwarting all types of cybercrime. This is especially true with regard to cases such as phishing.

Can 2FA Prevent Phishing Attacks?

In most cases, it does but it is in no way guaranteed. Although once highly regarded as an effective way of preventing unauthorized access, the latest developments in the threat landscape are swaying opinions on 2FA otherwise. It can still be used as an extra, low-cost security layer, but relying on it alone won’t prevent all types of phishing attacks from being successful.

Several methods exist that can allow attackers to bypass 2FA. For example, a person who is redirected to a phishing page inputs his credentials while a threat actor captures these in real-time. A 2FA code is sent to the user, which he then enters into the phishing page, consequently revealing this to the attacker who uses this same code to log in to the legitimate website.

Even worse, this data-stealing process now comes with a recently released phishing tool created by Piotr Duszynski, a Polish researcher. Duszynski named this tool “Modlishka.“It works as a reverse proxy customized to handle traffic that flows through log-in pages. What it does is that it sits between the would-be victim and the phishing website. Whenever a user accesses the phishing page that hosts Modishka, it serves content coming from the legitimate site while sniffing all of the traffic that passes through it, including users’ sensitive details.

In a nutshell, the tool automatically replicates the manual 2FA bypassing procedure mentioned above. The attack would require hackers to have a domain, a valid Transport Layer Security (TLS) certificate, and a copy of Modishka. They do not need a phishing template because they can easily copy the contents of the website they intend to phish.

What Other Controls Can Stop Such Phishing Attacks?

There are several methods one can take in order to protect against various types of phishing schemes. A common solution is to employ an advanced spam filter that can prevent phishing emails from arriving in one’s inbox. Many such reliable software are available, most of which can block as much as 99% of spam and phishing emails.

However, there are still cases where malicious emails can bypass spam filters, and it only takes one to compromise the victim’s accounts. That is why security awareness training and education is important, especially for enterprises with huge workforces. All of the employees of an organization must be taught to identify and verify suspicious emails so they can avoid becoming a phishing victim.

Web filters can also be used to automatically block access to known phishing websites in real-time. These can be quite handy since anyone can still make mistakes and be fooled by highly realistic phishing emails.

* * *

As you can see, 2FA is still a great cybersecurity measure to help protect against unauthorized access. It, however, isn’t a magic solution to stop all kinds of cyber attacks, especially those that use complex tools and tactics. That is why companies today should still apply other safety solutions and packages to avoid being a victim of threat actors.