Two-Factor Authentication: No Longer Infallible Because Of Human Error

The FBI warns of the increasing ability of threat actors - notably the Scattered Spider group - to bypass two-factor authentication (2FA), especially targeting sectors like retail, insurance, and aviation.

Qantas, a major aviation company, has already disclosed a significant breach involving a third-party vendor, with personal data of around six million clients potentially compromised.

The FBI's key message is that attackers are exploiting weaknesses not only in 2FA but also in password practices, which remain alarmingly poor across both corporate and consumer environments.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have repeatedly issued guidelines on password hygiene, but these are still being ignored by many individuals and organizations.

Recent research from NordPass confirms that weak, reused, and otherwise inadequate passwords are widespread, even in critical infrastructure industries such as transportation, where lapses can have far-reaching consequences.

 Examples of commonly used (and easily compromised) passwords include "123," "Dell 123," "password 111," "4," "123456789," and "qwerty" - passwords that offer virtually no protection against even unsophisticated attacks.

Although sophisticated groups like Scattered Spider often use social engineering to manipulate IT support into adding unauthorized multi-factor authentication (MFA) devices to compromised accounts, their attacks frequently begin by exploiting vulnerable login credentials.

Ransomware groups typically target the weakest security link, which is often a poorly managed password. The article stresses that improving password practices is a simple and effective way to reduce the risk of data breaches and operational failures, yet this basic step is still widely neglected.

The FBI and cybersecurity experts are urging organizations and individuals to stop using easily guessable passwords and to consider transitioning to even stronger authentication methods like passkeys, which offer enhanced security over traditional passwords and 2FA.

Source: https://www.forbes.com/sites/daveywinder/2025/07/05/fbi-confirms-2fa-bypass-warning---now-stop-using-these-passwords/

Commentary

One of the most disturbing aspects of the above report is that online criminals are bypassing 2FA.

Online criminals like the Scattered Spider group bypass two-factor authentication - not by cracking security codes or exploiting software vulnerabilities - but by manipulating the people and processes that manage those security measures.

In a typical attack scenario, an attacker might start by gathering personal details about a targeted employee, perhaps through LinkedIn searches or data leaks, to make their impersonation more convincing.

They then contact the company's IT help desk, pretending to be that employee, and create a plausible story - such as losing their phone or needing urgent access - to request a password reset and a new MFA device registration. If the help desk is fooled, the attacker can direct authentication codes or prompts to a device they control, gaining access to the account.

Sometimes, attackers send repeated authentication requests to the real user's device, hoping the user will accidentally approve one out of frustration.

Other times, phishing tools are used to intercept both login credentials and session tokens, allowing the attacker to log in without ever needing to interact with MFA.

Once inside, the attacker can enroll their own MFA device, ensuring they maintain access even if the password is changed, and potentially move through the organization's systems, searching for valuable data to steal or encrypt for ransom.

To protect against these increasingly sophisticated attacks, organizations need to implement stronger security practices.

Phishing-resistant authentication methods, such as hardware security keys or device-bound passkeys, should be used instead of SMS or push notifications, which are easier for attackers to intercept or manipulate.

The process for resetting passwords or enrolling new devices needs to be tightened, requiring multiple confirmations and identity checks to prevent social engineering.

Employees at all levels should receive training to recognize and report suspicious requests, and IT support staff should be especially alert to unusual account changes.

Remote access tools should be monitored and restricted, and all new MFA device enrollments - especially for accounts with high privileges - should be reviewed for legitimacy.

Security systems that continuously monitor device integrity and user behavior can help flag suspicious access patterns in real time.

Regular audits of account access and prompt removal of unused credentials reduce the risk of attackers gaining a foothold, and organizations should always assume that some attacks might get through, so rapid detection and response plans are vital.

The final takeaway is that while two-factor authentication is an important security layer, criminals have learned to circumvent it by exploiting both technology and human nature. Organizations must therefore adopt a comprehensive approach that combines advanced authentication, vigilant monitoring, continuous training, and a strong incident response process to truly protect their data and operations.

Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

Two-Factor Authentication: No Longer Infallible Because Of Human Error

At one time, two-factor authentication was viewed as the means to protect data from human negligence. An FBI warning suggests that is no longer the case. We examine.

Religious Discrimination In Healthcare Workplaces And Modern Faiths

We examine how healthcare organizations can help protect employees and patients by fostering respect for religious diversity and preventing discrimination at all levels.

Shielding Your Organization From Internal Theft: Lessons From A Costly Embezzlement

We analyze an embezzlement scheme against a tribe and the effective measures all organizations can use to detect and prevent similar financial abuses.

Do Employees Need Constant Praise? You Make The Call

A recent survey of 1,050 U.S. managers who supervise Gen Z employees reveals many think this generation seeks more recognition than previous ones, even when job performance is lacking.

Essential Cybersecurity Steps For Healthcare

We examine a recent loss and outline strategies healthcare organizations can use to protect sensitive information from sophisticated cyber threats.