Two-Factor Authentication Is Even Less Secure Than You Thought

Xiaomi Security Compromised Illustration Hack AH Spring 2019 1

Two-Factor Authentication may not be secure enough to protect users against intrusion, based on a recently reported outline released by researchers at Fox-IT. The outline highlights efforts by a Chinese hacker group called APT20. The group, via a method Fox-IT has labeled “Operation Wocao,” appears to have found a way to bypass the commonly used security measure without setting off any alarms.

The group began by hacking web servers but shifted focus. Using an RSA SecurID software token stolen from a hacked system, APT20 was able to make its way through other two-factor barriers. That was accomplished via modification of the key and by importing the SecurID Token Seed.

In effect, the group was able to utilize tokens generated by a system to show a valid result. It then used that result to fool other systems into allowing access. That lets the group bypass the need to generate or steal a system-specific key.


This may be a bigger threat for users in China than anywhere else

The methodology used by the hackers in this case likely only works with specific systems but may also be able to be applied more broadly. The impact may be far-reaching. Summarily, APT20 seems to have greatly simplified the process of cracking authentication over previous methods.

Typically, hackers need to go through the trouble of finding the system-specific key or use some other complex method. The new hack makes it a more straightforward process. It may not be much more difficult than getting to where two-factor authentication is used to secure a system.

The biggest threat may actually be to users in China. Not only does APT20 originate there. It’s also alleged to have direct ties to the Chinese government. At the very least, it has chiefly placed its focus on breaking down secure systems used for VPNs in China.


The Chinese government has often been accused of being oppressive to citizens. That’s chiefly because it denies access to certain websites and information, often pertaining to ideologies surrounding protest and individual rights and freedoms espoused by Western powers. As a result, VPNs are used in the region to access websites, apps, and information that the government would rather citizens don’t access.

Not only could other governments easily follow suit. The applications for the new method may become more widespread, rendering traditional two-factor authentication obsolete. At a minimum, the discovery may change the way two-factor authentication is utilized and marketed. But changes may ultimately be required to keep users and their data safe.

Can two-factor authentication be made more secure?

No solutions to the newfound problem appear to be forthcoming and none have reportedly been presented by researchers. But that doesn’t mean the two-factor problem is unsolvable. One plausible solution would be to make system-specific two-factor checking more individualized and unique.


For instance, it may be possible to build in two-factor authentication so that each checking mechanism is more system-specific. It may be possible to ensure that each SecurID Token Seed is more uniquely generated between systems. Conversely, some new methods for protecting users may be required since it’s unclear what exactly the extent of the problem might be.