2FA Bypass Techniques
Also Known As
2FA bypass
SIM swap
MFA bypass
Evilginx
TL;DR
Common ways attackers circumvent two-factor authentication — SIM swapping, real-time phishing proxies, SS7 attacks, backup code theft, and session cookie hijacking after authentication.
Explanation
2FA bypass techniques: SIM swap (attacker convinces carrier to transfer victim's number — defeats SMS 2FA entirely), real-time phishing proxy (Evilginx2 transparently proxies the real site, capturing the authenticated session cookie), SS7 protocol attacks (intercept SMS at the network level), backup code theft (codes stored insecurely), account recovery bypass (weak recovery options skip 2FA), and session hijacking (steal the post-2FA session cookie — 2FA only protects the login, not the session). TOTP (authenticator apps) is significantly more resistant than SMS, but not immune to real-time proxy attacks.
Common Misconception
✗ Any 2FA makes you fully secure — SMS 2FA can be bypassed by SIM swap; even TOTP is vulnerable to real-time phishing proxies that capture the OTP as it's typed. Hardware keys (FIDO2/WebAuthn) are origin-bound and resistant to phishing.
Why It Matters
High-value accounts (email, banking, social media) are targeted specifically because attackers know how to bypass SMS 2FA — recommending SMS 2FA as sufficient creates false confidence.
Common Mistakes
- SMS 2FA for high-security accounts — SIM swap attacks are trivial for motivated attackers.
- Backup codes stored in plain text or cloud storage — the backup is the vulnerability.
- Post-2FA session with no anomaly detection — stolen session cookie bypasses 2FA entirely.
- Account recovery that bypasses 2FA — weakest link is the recovery path.
Avoid When
- Do not treat 2FA as a complete authentication solution — it mitigates credential theft but not session hijacking post-authentication.
- Never allow 2FA to be disabled via an unauthenticated or weakly authenticated account recovery path.
When To Use
- Test your 2FA implementation against known bypass patterns — SIM swap, real-time phishing proxies, and backup code theft.
- Use TOTP (time-based) over SMS 2FA — SS7 and SIM swap attacks make SMS codes interception-prone.
Code Examples
✗ Vulnerable
// Session that never re-authenticates — stolen cookie = full access:
$_SESSION['user_id'] = $user->id;
$_SESSION['2fa_verified'] = true;
// Session never expires, no IP/device binding
// Attacker steals cookie via XSS or network interception
// Full account access — 2FA completely bypassed
✓ Fixed
// Mitigations beyond basic 2FA:
// 1. Prefer TOTP or WebAuthn over SMS:
$challenge = $webauthn->generateChallenge();
// 2. Bind session to device fingerprint:
$_SESSION['device_hash'] = hash('sha256', $userAgent . $acceptHeaders);
// 3. Short session lifetime with re-auth for sensitive operations:
$_SESSION['2fa_time'] = time();
// Re-prompt if > 15 minutes since last 2FA:
if (time() - $_SESSION['2fa_time'] > 900) requireReAuth();
// 4. Anomaly detection: alert on new country/device
$this->anomalyDetector->check($user, $request);Tags
🤝 Adopt this term
£79/year · your link shown here
Added
16 Mar 2026
Edited
31 Mar 2026
Views
57
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 1
No pings yesterday
Amazonbot 15
Perplexity 10
Google 8
Ahrefs 3
Majestic 2
Unknown AI 2
ChatGPT 2
Meta AI 1
Also referenced
How they use it
crawler 39
crawler_json 4
Related categories
⚡
DEV INTEL
Tools & Severity
🟠 High
⚙ Fix effort: High
⚡ Quick Fix
Prefer TOTP/WebAuthn over SMS; bind session to 2FA verification with short re-auth window for sensitive actions
📦 Applies To
PHP 5.0+
web
🔗 Prerequisites
🔍 Detection Hints
SMS 2FA relying on mt_rand() or weak OTP; missing session binding after 2FA completion
Auto-detectable:
✗ No
⚠ Related Problems
🤖 AI Agent
Confidence: High
False Positives: Medium
✗ Manual fix
Fix: High
Context: File
Tests: Update
CWE-308
CWE-303