Does Two-Factor Authentication Protect Businesses from Phishing Attacks?

Two-factor – or multi-factor – authentication is a simple control that makes it harder for unauthorized individuals to gain access to accounts and sensitive data. Rather than just use a single factor for authentication such as a password, an additional factor is required, usually something an individual has.

This could be a card reader, which is often used by banks for verifying the identify of an individual who wants to make a transfer request, although most commonly it is a mobile phone. After entering a password, a code is sent to the mobile phone. That code is required to gain access to an account. This ensures that theft of a password – or guessing of a password – will not, by itself, allow the account to be accessed.

Can Two-Factor Authentication Protect Businesses from Phishing Attacks?

There have been many data breaches caused as a result of employees disclosing their passwords, often through phishing attacks. In many cases, the use of two-factor authentication would have prevented those phishing attacks from working.

Implementing two-factor authentication is a quick and easy way of improving security; however, it is not infallible. It is also not necessary for an attacker to obtain a password and the device used for the second method of authentication.

The ease of bypassing two-factor authentication was demonstrated recently in a video from Knowbe4’s Chief Hacking Officer Kevin Mitnick. In the video he demonstrates an exploit that can be used to bypass two-factor authentication and gain access to a user’s account, in this case, their LinkedIn account.

In the demonstration, a user is sent an email from LinkedIn requesting an individual to add as a contact. The email matches a genuine correspondence from LinkedIn, apart from the domain. In this case, the domain is the same as the genuine domain apart from a single letter.

Clicking the link in the email directs the user to a spooked LinkedIn site and a request to enter the username and password. Once the login credentials have been entered the user is sent an authentication code to a mobile phone. The code is entered via the phishing website, and the user is directed to the real LinkedIn account. Unbeknown to the user, a successful phish has occurred.

Through the spoofed website, the user name and password has been captured, and so to the session cookie. With the session cookie the attacker can login to LinkedIn without the need for a username, password, or two-factor authentication code. Anytime the attacker wants to access the account the session cookie can be used, without the need for any further credentials.

So, can two-factor authentication protect businesses from phishing attacks? Yes. In some cases, it can, but not always. It is therefore important to ensure that the entire workforce is trained to be more security aware and receives training on the checks that must always be performed prior to responding to any email request.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of