DEV Community

DeepSeaX
DeepSeaX

Posted on

5 Ways Attackers Bypass Your 2FA — And How to Stop Them

#webdev #cybersecurity #security #authentication

You enabled two-factor authentication on everything. You feel secure.

You should not.

MFA bypass is one of the most common findings in penetration tests. In fact, attackers are routinely bypassing 2FA using techniques that have been known for years — and most organizations still have not patched the gaps.

Here are five real techniques attackers use, and what you can do about each one.

1. Push Notification Fatigue (MFA Bombing)

How it works: The attacker already has your password (from phishing or a breach dump). They trigger login attempts repeatedly, flooding your phone with MFA push notifications at 2 AM until you tap "Approve" just to make it stop.

Real-world example: This exact technique was used in the 2022 Uber breach. The attacker spammed a contractor with push notifications, then messaged them on WhatsApp pretending to be IT support: "Just approve it, we are fixing an issue."

The attacker needs: Your password + patience.

How to defend:

  • Use number matching — the user must type a number shown on the login screen
  • Set rate limits on push notifications (max 3 per hour)
  • Alert on repeated failed MFA attempts from the same account
  • Train users: "If you did not initiate the login, DENY and report"

2. Response Manipulation

How it works: The attacker intercepts the HTTP response from the MFA verification endpoint and changes it from "failed" to "success."

If the application validates MFA on the client side (checking the response) rather than the server side (setting a session flag), this works.

How common is this? More than you would think. We find this in roughly 15% of web application penetration tests where MFA is implemented in-house rather than using a mature library.

How to defend:

  • Server-side validation only — never trust client-side MFA checks
  • Set a server-side session flag after successful MFA verification
  • Use signed/encrypted tokens that cannot be tampered with

3. SIM Swapping (SMS OTP Theft)

How it works: The attacker convinces your mobile carrier to transfer your phone number to their SIM card. They now receive all your SMS messages — including OTP codes.

The process:

  1. Attacker gathers personal information (OSINT, social media, dark web)
  2. Calls your carrier pretending to be you
  3. Requests a SIM swap citing a "lost phone"
  4. Carrier transfers your number to attacker's SIM
  5. Attacker receives all SMS OTPs sent to your number

Cost on the dark web: SIM swap services cost 0-00 per target, with carrier insiders sometimes involved.

How to defend:

  • Stop using SMS for MFA — use TOTP (Google Authenticator) or FIDO2 keys instead
  • Set a carrier PIN on your mobile account
  • Register for carrier account change notifications
  • For critical systems, enforce hardware security keys (YubiKey)

4. Backup Code Exploitation

How it works: When you set up MFA, most services generate 8-10 backup codes for account recovery. These codes are:

  • Often stored in plain text files on the user's computer
  • Sometimes predictable (sequential or low entropy)
  • Rarely rotated or revoked
  • Not always rate-limited when entered

Attack scenario:

If backup codes are only 6-8 characters with a limited character set, they can sometimes be brute-forced — especially if there is no rate limiting on the backup code entry endpoint.

How to defend:

  • Generate backup codes with high entropy (12+ characters, alphanumeric)
  • Rate limit backup code attempts (lock after 5 failures)
  • Require additional verification when using backup codes
  • Audit backup code storage — encrypt at rest
  • Invalidate backup codes after use

5. OAuth/SSO Bypass

How it works: Many applications offer MFA for direct login but skip it entirely when you use "Sign in with Google" or SSO. The logic looks like this:

The attacker targets the SSO flow, which may not enforce the same MFA policy. Or they find a way to switch from MFA-required direct login to non-MFA SSO login mid-flow.

Variations:

  • Downgrade from FIDO2 to SMS OTP (then SIM swap)
  • Switch from MFA-enforced IdP to one without MFA
  • Exploit "remember this device" cookies to skip MFA entirely

How to defend:

  • Enforce MFA at the identity provider level, not the application level
  • Apply consistent MFA policy across ALL login methods
  • Audit "remember device" cookie lifetime and scope
  • Test SSO bypass scenarios in your penetration tests

The Uncomfortable Truth

MFA is still better than no MFA. But it is not the impenetrable wall most people believe it is. The techniques above are not theoretical — they are used daily by both criminals and penetration testers.

The difference? Penetration testers find these gaps before criminals exploit them.

Test Your MFA Implementation

Is your MFA actually protecting your users, or just giving them a false sense of security?

TheInsider-x.com offers free AI-powered penetration testing during our beta period. Our assessments specifically test MFA implementations for the bypass techniques described above.

Start your free security assessment →

Based on real penetration testing findings and OWASP MFA testing guidelines.

Part of our Threat Intelligence Briefing series.

Top comments (0)