Does 2FA Help Prevent Unauthorized Access in Phishing Attacks?

2FA alone does not help in this scenario. If the 2FA input screen on bank.com does not have other protections, like TLS, pinning/HSTS, MITM protection, and/or verify the client or detect login anomalies, then there is a vulnerability.

This is a case where an integrated password manager in the browser can help the end-user, by not providing the credentials to begin with.

Other types of 2FA, besides user-entered codes, offer greater protection.


Security keys like yubikey, titankey, nitrokey, and solokey use the U2F protocol, which is immune to phishing by mixing the domain into the nonce. In order for this to happen, the attacker would have to have control of the domain. And if you're talking about a browser, they are configured to also require the page to be a valid HTTPS connection. Meaning the attacker would also have to have control of the site's private certificate.

At this point the attacker already has control of everything.

I want to say it's something like this

response = secretkey_encrypt(HMAC(CHALLENGE, SHA256(base domain)))


It reduces the window in which an attack may be carried

Consider the case where the connection does not have 2FA, only user and password. The victim provided his bank credentials and doesn't even realize it was a phishing after the fact. The attacker can later use them to log in as the user and empty the account. Perhaps during the night, when the user is more likely not to notice. Or leverage that access through several days to overcome the daily transfer limit. Or three months later, when he completely forgot about that phishing, those credentials could have been sold to someone else that then uses it for money laundering.

As you rightly note, the use of 2FA does not prevent that as a result of a phishing, an attacker logged into the account at that same time. The previous scenarios are no longer feasible. The attack must be carried out at the time the user is entering their credentials. Even a minute later, the second factor will have expired. It does not completely prevent the attacker logging in (for that you would need a U2F/FIDO/WebAuthn device, also verifying the site you log into) but it does raise the effort required.

Plus, when using SMS, some sites actually describe the action that is going to be performed, so such description may serve as an additional layer of defense ("The page states it needs my code to give me a free gift, but the SMS says it will authorize a transfer of several thousand dollars?" ).

On the other hand, some scenarios are solved by the use of a second factor, such as a shoulder-surfer discovering the credentials or the concern that the password could be bruteforced.

Tags:

Authentication

Phishing

Multi Factor

Related

Attack against OTP Cipher What is the impact of an exposed secret key for a JWT token implementation? Is splitting a REST API server from a Web server considered a security threat? Why doesn't a simple HTTP request to display a remote web page violate the same-origin policy? Is there a protocol that provides data integrity, but not encryption for HTTP? What risks am I taking by using an http site to play a video game that just records mouse events? How to block requests in web app when certificate is insecure? Storing Username and salt in separate table What does my ISP see if I change my DNS server? What's a "safe" URL shortening algorithm? Is it really safe to use Signal or Telegram on untrusted phone hardware? What impact does an installed extension have on the browser fingerprint (uniqueness)?

Recent Posts