Can 2FA be Hacked?

[AakZaki]

This can happen, we all need to be aware of all online activities related to email and passwords. You must be observant of phishing emails, web phishing and other phishing. Some cases I know they use email, they send a email for you with contents a link to the web just like the original web. After that they work by retrieving your session cookie, this cookies used to log in to your account (If I'm not mistaken).  Therefore, hackers no longer need your name, password or two-factor authentication

[abokhalel2]

Yes, in this world nothing can be hidden. Everything will be hacked sooner or later. There is only one defense - your brain, but, unfortunately, everything cannot be hidden there.

[iamaruf]

Everything is hackable. Even there are many ways to bypass the 2FA on Facebook. You can google it to know more. But for the recovery option, you can reset your pass through mail. If everything changed then try to contact support and give them your all details to prove that the account is yours. They can ask you for a Passport/driving/NID. In this way, you can get your Facebook account back.

[masulum]

2FA user are still can lose their account with several ways to bypassing 2FA or because of phishing site. the code it self can be hacked by brute forcing. Don't forget about 2FA bypassing too. Even 2FA can't be hacked, there will be another to skipping 2FA from your account. Well, people must be aware about any possibility of hacking. If they are thinking if his account are really safe because of using 2FA, then he was wrong.

[abel1337]

Recently my Facebook Account was Hacked which was protected by 2FA. I was thinking that 2FA was very advance security. But I was Wrong. My Account was hacked and hacker change all my email and Phone Number. Has anyone faced same problem please reply in post. If someone has recovered hacked account please reply with information.

I believe that everything could be hacked even you have layers of security, Hackers have different methods of doing their thing and 2FA is not that much security for "god-like hackers". 2FA can improve your account security exponentially but there's some way to bypass it. You might be hacked physically by having the hacker access your security device and steal the necessary information there. If your device is stolen in real life it would basically give a great potential risk to your accounts. It would be better not to share any information with everyone especially if your account has good money in it and if you value your account so much, You could be a target just by sharing some info with someone.

[Cryptomint9]

Yes it can be hacked. Because hackers have excellent mind. And they can hack any thing. Like you can read this article.
https://www.pymnts.com/safety-and-security/2019/chinese-hacking-attacks-take-down-2fa/

[BIN-BIN]

2 factor authentication security software is venerable only if it is compromise by the hacker and this can happened when the malware attack your system and steal some of your security details.

E.g if you store password and other security information on google it can be easily stolen and accounts compromised so yes 2FA can be hacked.

[Issa56]

Why not anything can be hacked that why you have to keep you private key safe so that it your account won't be tampered with, you don't have to trust anybody with your private key no matter how close you are.

[bob123]

With "hacked" you are probably referring to gained access to.
And this definitely is possible.

The two most common ways to circumvent 2fa is to either 1) compromise the device holding the 2fa key or 2) manipulate the system in such a way that no 2fa is required.

Number 1) is an attack on the user. It targets the device storing the 2fa secret.
Number 2) focuses on the system which utilizes 2FA. Even if your security is perfect (which it never will be), you can never be sure whether the security of the service you are using is good enough. 2FA does not guarantee that you are safe. It just decreases the risks.

[Oshosondy]

There is back ups for every accounts you add in your google authentication app, assuming you buy a new smartphone now you can easily export all the 2FA accounts into the new phone, meaning that if someone have access  to your phone they can export your 2FA settings and gave access to every websites you use 2FA on

You are right, if hackers can steal the 2fa back up, the hacker will be able to to access the 2fa code successfully, but there are many other ways to get access to the back up, and there are ways the back up is not needed at all but the time codes which is changing every 30 seconds or so will still be revealed. This can be possible through malacious codes hackers can input into devices like phones and computers.

[Globb0]

Nothing is un hackable.

Hacks come and go then the fix has to follow.


By adding more layers like 2fa you give yourself a better chance against an easier target. (with a simple password for example)

another benefit being the hacker has now to compromise 2 devices to "get you"


ofc if they have hacked your main email, they may be able to reset a few other things.

So make sure you use a secure password!


Security starts at home.

[taufik123]

You are right, if hackers can steal the 2fa back up, the hacker will be able to to access the 2fa code successfully, but there are many other ways to get access to the back up, and there are ways the back up is not needed at all but the time codes which is changing every 30 seconds or so will still be revealed. This can be possible through malacious codes hackers can input into devices like phones and computers.

It's not just 2FA reserves that will be targeted for hacking. But by smuggling malware, hackers can easily bypass the 2FA code. Malware usually infiltrates advertisements or on websites that we visit while surfing the internet or in applications, photos and videos.
this all also depends on the readiness of the user to be careful and not fall into the trap that has been provided by hackers. Phishing, malware, fake applications and others must be kept on alert. No system is safe, all systems can be hacked.

[libert19]

'hacker' could have also gotten access to backup codes you saved.

[Charles-Tim]

'hacker' could have also gotten access to backup codes you saved.

Hackers can only steal what are online and on devices, if the backup is completely saved offline, there is no way for hackers to steal it, but some people just like taking the screen shot of backup or saving it on the device they are using, these ways of backup not good and not safe at all. The best is to have your 2fa backup code on a paper written with pencil, or printed and laminated, or written on metallic sheet. To have it saved offline will protect it from any form of online attack. But, also, it is very important to safe it from physical damages and offline attackers, but offline attack are not common like online attack but also worth protecting it from offline attacks.

[decodx]

I don't think 2FA can be hacked specially the one made by google and steam..

2FA authenticator uses software such as Google Authenticator, Microsoft Authenticator or Authy. It operates on a TOTP (time based one-time password) concept. TOTP is more reliable than SMS, however, there have been reports of hackers stealing authentication codes from Android smartphones. There are even some malwares that can copy and send authenticator codes to a hacker.

[Oshosondy]

2FA authenticator uses software such as Google Authenticator, Microsoft Authenticator or Authy. It operates on a TOTP (time based one-time password) concept. TOTP is more reliable than SMS, however, there have been reports of hackers stealing authentication codes from Android smartphones. There are even some malwares that can copy and send authenticator codes to a hacker.

First of all, not all authentication codes are Time-based One-time Password (TOTP), some are HMAC-based One-time Password algorithm (HOTP) which depends on a counter. Also there are many other good 2 factor authenticators, like AndOTP and Aegis, they are all good too.

About the malware that can steal authenticator codes, trojan is just the typical example.

[bob123]

First of all, not all authentication codes are Time-based One-time Password (TOTP), some are HMAC-based One-time Password algorithm (HOTP) which depends on a counter.

Most services don't support HOTP, but TOTP only.
While HOTP might be more user friendly because there is no time limit or lag to enter the code, it might be more susceptible to bruteforce.

Generally, TOTP can be considered more secure than HOTP. Especially because the generated 2fa code is only valid for a short timeframe.

[Crypto Bright]

I have encounter the same problem with my Facebook account, been hacked, luckily enough i was online chatting, i discover my account has been logout, by sending message it could not delivered, immediately, i request on change of password of my Facebook account and also changed my email address password by restoring my Facebook account, and i believed the hacker has got access to your email, may be you save (2FA) Factor Authorization on draft message. which is not advisable to saved 2FA online, i prefer offline saving phase.

[decodx]

First of all, not all authentication codes are Time-based One-time Password (TOTP), some are HMAC-based One-time Password algorithm (HOTP) which depends on a counter.

Most services don't support HOTP, but TOTP only.
While HOTP might be more user friendly because there is no time limit or lag to enter the code, it might be more susceptible to bruteforce.

Generally, TOTP can be considered more secure than HOTP. Especially because the generated 2fa code is only valid for a short timeframe.

I didn't even know about HOTP (probably because it's not used a lot), thanks for the info. I'm going to have to research this in more detail.