How can Hackers Bypass Google’s 2FA Security

Bypass Google’s 2FA Security

Two-factor authentication, or simply 2FA is often hailed as the best security one can get against scammers who want to get your login credentials. But is it all that cracked up to be or is there a way for a hacker to bypass google two-factor authentication? 

If you thought that your usernames and passwords were 100% safe because you are using 2FA, I’ll have to disappoint you there.

There is, unfortunately, a way to bypass 2FA and hack a Google account that’s protected by it. It’s been done already.

In this article, we are going to talk about:

  • What is 2FA?
  • Its strengths
  • Its weaknesses
  • How can it be bypassed?
  • Why is having an anonymous email a good idea?

What is 2FA?

As so many aspects of our lives are today tied to the digital, the risk of getting hacked and our data stolen is ever-present.  Hackers have become incredibly sophisticated in their field of work and can easily get around outdated security systems based on just usernames and passwords for protecting user accounts.

Every year, hundreds of data breaches occur, most of which we don’t even hear about. Those that do make it to the news are usually of global corporations losing hundreds of millions of user records and often suffering irreparable financial damages.

Just last year (2019), 885 million records (login credentials, social security numbers, bank transactions, etc) of the First American Financial Corp. were exposed online.

And that’s just one example of a data breach that shows the ever-increasing need for tighter online security. 

Passwords alone are just not enough.

So, knowing that, IT security experts have added an extra layer of security called “two-factor authentication” or 2FA to ensure that people who try to access online accounts are really who they say they are.

What 2FA does, in essence, is add an extra security factor before allowing you to access your online account (for instance Gmail). This is usually:

  • Something you know like a PIN, secret question, a screen pattern and so on.
  • Something you have like another device (smartphone or tablet), or a hardware token.
  • Something you are like a voice, iris scan, or a fingerprint.

Without this factor, it’s impossible to verify the identity of the person trying to unlock the account and it will stay locked even if they have the correct password.

Well, unfortunately, it’s not entirely impossible to bypass 2FA.

How Hackers Were Able to Bypass 2FA Security in Gmail, Yahoo, ProtonMail in 2018


It was already done. 

In 2018, hackers were able to bypass 2FA security in Gmail and Yahoo and those same hackers were likely responsible for creating phishing sites for secure email services like ProtonMail and Tutanota as well.

How did they do it?

According to an Amnesty International report, the victims first received a fake Gmail security alert about their account being compromised and having to change their passwords.

Next, they were sent to a fake Google or Yahoo site where they had to enter their login credentials. From this page, the targets were redirected to another page telling them that they’ve been sent a fake google verification code via SMS.

Upon entering the code, the victims would then be presented with a password reset form, which if they did would give the hackers full access to their account.

And, since the Google spoof email looked like a legitimate email from Google, few who got it looked at it twice.

4 Methods of Bypassing 2FA

2FA does provide a strong extra layer of security, but it is not bulletproof and it has flaws in both implementation and design, as this Medium post by Shakmeer Amir shows.

There are 4 methods to bypass a 2FA mechanism, according to that article:

  1. Using conventional session management using the password reset function. 

This is what the hackers did in the example above. They sent a fake Gmail security alert, phished an SMS token and finally had their victims reset their passwords. 

  1. Using an OAuth mechanism.
Using an OAuth mechanism

Another 2FA bypassing method is to use a 3rd party login mechanism called OAuth. If you’re not familiar with OAuth, this is when you use Google or Facebook to log in to another account. 

Although this is a convenient way to log in to a website and Google or Facebook should be safe, it’s also a way for the hacker to bypass 2FA. Instead, they can use OAuth integration to log in without needing the username and password.

  1. Using race conditions.

 A “race condition” is the repeated usage of a previously known value, such as the app’s ability to use used or unused tokens later. For this, the hacker would first need to have access to those previous values, which they can get by intercepting a previous code.

  1. Via brute force.

Finally, if there is no rate limitation in the input fields, an attacker can attempt to brute force to 2FA code, especially if it’s number-based. As the normal length of a code is 4-6 numbers, that’s “only” 151,800 possibilities. You don’t need a supercomputer to crack that.

Protect Yourself Using a Secure Anonymous Email Service

As you can see, bypassing Google’s two-factor authentication is quite possible with a simple phishing attack. This is why you need a secure email provider that includes a phishing protection mechanism and has zero-knowledge password protection. 

With CTemplar, you can set a phrase that will show in your account. Any time this phrase is used, you’ll be alerted to a phishing attempt.

Also, CTemplar employs Zero-Knowledge Password Protection, meaning that even we don’t know your private key protection and are thus not able to access your encrypted data.

What do you think about 2FA? Do you think it’s enough to protect your online accounts? Or do you think you need to add an extra layer of security like a secure email provider such as CTemplar?