Cybercrime trends are continually rising – one fairly recent study by LexisNexis Risk Solutions reveals a 20% annual increase in the global digital attack rate, driven by an uptick in the e-commerce and financial services industries.

Digital security is paramount, and there are now several advanced forms of protection available for businesses to leverage, including two-factor authentication. But what if such measures aren't fail-safe and actually have some vulnerabilities, leaving critical company and customer data exposed to certain threats?

This article answers some important questions about the strengths and weaknesses of two-factor authentication (2FA). It also discusses exactly how secure 2FA is and what you can do to ensure this method of digital security is as effective as possible in its implementation.

What is two-factor authentication (2FA)?

2FA, aka 2-step verification, is a type of security mechanism that secures the login process for apps and services that require user access control. It is a form of multi-factor authentication (MFA).

As its name suggests, 2FA utilises two layers of security to verify a user's identity as they attempt the login process online.

The 2FA process is based on two steps.

  • Layer one: a customer enters their username and password to log into their account online.

  • Layer two: the customer then uses a second authentication factor, such as a unique PIN code, to complete the login process.

How does two-factor authentication prevent hacking and other crimes?

According to Microsoft, MFA can prevent 99.9% of attacks involving compromised accounts.

2FA offers many benefits for businesses and customers, the main one being that it helps to prevent fraud. Cybercriminals find it difficult to bypass two-factor authentication because they need two distinct forms of ID to gain access to sensitive data. With its extra layer of protection, 2-step verification stops hackers and other attackers from trapping unsuspecting users in 2FA scams.

Other benefits include reduced helpdesk and support costs (for example, customers can recover forgotten passwords via the second layer of security rather than calling support), increased internal security and more.

Popular types of multi-factor authentication

So, what factors can be used in an effective 2FA system? Combined with a strong password for layer one, any of the following six options can work well for layer two of your two-step verification process.

One-time passwords or codes

One-time passwords (OTPs) can only be used once and usually expire quickly. One of the most common methods of issuing OTPs is via SMS verification. An OTP is sent to the user's mobile via text message, making this one of the most user-friendly 2FA methods - it's very straightforward, quick and convenient for both businesses and customers.

Alternatively, OTPs can be sent via email. Or, in the rare event that SMS and email fail to deliver or aren't accessible at the time of login, the user can request an online service to call them and dictate the verification code over the phone.

Authenticator apps

Authenticator apps are third-party apps which provide a time-sensitive code to enable the user to complete the login process. Examples include Google Authenticator and LastPass Authenticator.

In this case, the user must download the third-party app to their mobile phone and connect it with the services they want to use. They then open the app when prompted to fetch and enter their unique authentication code during login.


Biometric authentication uses different types of biometric data to verify a person's identity. Biometric data relies on very specific, individual characteristics, so it is deemed one of the more secure 2FA methods. Examples include facial recognition, fingerprint ID, retina scanning, and voice recognition.

Biometric authentication involves a scanning device, technology to convert and compare the data, and a storage facility.

Hardware tokens

Hardware tokens are physical security keys that users can obtain and carry with them for 2FA. Some of the simplest ones look like USB flash drives and have a display for OTPs. Banks sometimes issue a hardware token to customers to use when making online transactions.

Push notifications

Push notifications work similarly to SMS messages in that a notification pops up on the user's mobile device. However, they can also be sent to desktop devices as they are ‘pushed' through a third-party app that the user has downloaded.

For 2FA, the push notification is sent to the user's mobile device, where they can approve or reject the login request. Wise, the online international money transfer app, uses this method.

Certificate-based authentication

Certificate-based authentication is a cryptographic technique. It uses digital certificates to verify a user or device before granting access to a system or network. This method is useful in the workplace to identify when a specific employee logs on with a particular laptop.

Another example is the SSL protocol on websites. When a user clicks on an SSL website via their browser, the SSL certificate will be checked and presented if the website is secure.

Person using facial recognition to access mobile phone

Can two-factor authentication be hacked?

We now know how 2FA prevents hacking, but can hackers get past 2FA?

The short answer: Yes, 2FA can be bypassed by hackers. But before we get into the potential weaknesses of 2FA, it's worth noting that even the biggest cybersecurity companies aren't immune to digital attacks.

Case in point: the top cybersecurity company FireEye, whose clients include tech giants like Sony and Red Hat, had its own systems pierced by hackers in 2020. Ironically, they made off with some of FireEye's own sophisticated hacking tools, which could be used to mount new attacks around the world.

Another recent example is the infamous LastPass breach, where a hacker accessed an employee's home computer to steal a decrypted vault that was only available to a smattering of company developers.

With such high-level security systems being vulnerable to attacks, it should be no surprise that 2FA isn't 100% foolproof. But while many criminals have figured out how to get around 2-step verification, there are certain steps you can take for protection against those vulnerabilities.

7 ways how you can bypass 2-step verification

Here are some 2FA bypass techniques that can result in major breaches, and most importantly, some tips to help you prevent these types of hacks.

1. Social engineering

This is where an attacker uses psychological manipulation to trick the customer or user into revealing sensitive authentication credentials. Phishing is one type of social engineering scam, but there are others.

Social engineering attacks can affect any 2FA system that relies on human interaction, such as entering an OTP. Security awareness training company KnowBe4's CEO Stu Sjouwerman warns, "Social engineering if you do it right can be used to get into almost anything." So how can you stay safe?

To prevent this hack, educate yourself and your team on the most common social engineering tactics so you all know what to look out for. Also, educate customers and remind them to be wary of requests for sensitive information. They should always verify the authenticity of the request through a separate communication channel.

2. Phishing

As mentioned, phishing is a type of social engineering; however, how it's carried out is more subtle. Consent phishing is prevalent when social media logins are used as a 2FA measure. In this case, an attacker poses as the social platform and requests credentials, which the user inputs into a fake website built purely to collect the login details.

Again, this attack can affect all 2FA methods where users need to submit authentication codes online.

3. SIM jacking

Also known as SIM spoofing, this attack directly breaches the SIM card and targets a user's telephone number. Once a cybercriminal gains access, they can use the SIM card to make calls, send SMS messages, and use data to go online.

SIM jacking directly affects SMS-based 2FA systems. Users can prevent and reduce the occurence of such 2FA scams by using a different phone number for 2FA than the one used for general communications. Good mobile device security can also deter hackers and make two-factor authentication safe.

4. Credential stuffing

Another way how 2-step verification can be hacked is via credential stuffing, where attackers try to breach a system using lists of compromised usernames and passwords. Bots are often used to automate the process and maximise the chances of getting a successful hit.

Any 2FA system can be affected if it relies on passwords or other authentication mechanisms in addition to 2FA (because hackers can bypass 2FA using stolen credentials).

The best prevention measure here is to use solid passwords made up of random letters, numbers, and special characters – and don't use the same password for more than one online service. Be sure to set up account alerts online and monitor closely for any suspicious activity.

5. Malware

Malware is a blanket term that refers to malicious software designed to harm or exploit a device, system, service, or network. It can be easily downloaded onto your machine simply by clicking a malicious link or visiting a spoof website. Once installed, malware can invade and damage computers, systems, and networks to steal data, alter core computer functions, or spy on computer activities.

Malware can affect 2FA systems by stealing PIN codes, not just from SMS but also from authenticator apps. Reduce the risk of malware by never opening suspicious files or installing unverified software. Use a good antivirus on all your devices and keep it up-to-date.

6. Man-in-the-middle attacks

A man-in-the-middle attack is where an attacker intercepts conversations (or data transfers) between the user and the online service or authentication method being used. Once in the ‘middle' of the transfer, the attacker can capture any information from either party, including login credentials and authentication codes.

Man-in-the-middle attacks can affect any 2FA method linked to a network, such as an online service or database. To mitigate the risks and make 2-factor authentication safe, always use secure communication channels, such as end-to-end encrypted messaging apps, and think twice before submitting sensitive information online.

7. Physical theft

This type of attack can happen to anyone, anywhere, at any time. It's where physical hardware, like mobile devices, laptops, and hardware tokens, are stolen. It can affect 2FA methods such as mobile phone security and a physical security key.

To prevent physical theft, keep your devices secured at all times – on your person, under lock and key, hidden from plain sight, and password protected.

2FA concept with mobile phone verification code

2FA: Not 100% safe – but still a solid security measure

Strong cybersecurity is vital in the online space, particularly as cybercrimes such as 2FA scams are continually rising. Many businesses needing mid to high-level security rely heavily on 2FA to protect their systems and customer data from digital attacks.

How safe is 2FA? Can 2FA be hacked? How hard is it? The answers depend on several factors, such as the type of 2FA method used, the strength of device protection, the complexity of passwords, user awareness and online behaviour, and the attacker's determination.

While 2FA has its pros and cons, it's important to remember that two layers of security are always way better than one. And there are additional measures, too, as described above, that can be implemented to protect your multifactor authentication mechanism from succumbing to threats and attacks.