1

I have 2FA on ALL of my accounts. But my password was leaked in 7 breaches. Unfortunately I have used the same password for most of the accounts.

Is it possible for him/her to bypass the 2FA?

  • 2
    It probably goes without saying, but you should change the password for all those accounts as soon as possible. You should in future aim to never reuse the same password on different accounts (this is where a password manager can come in handy) – Shaun Killingbeck Oct 05 '19 at 08:22

1 Answers1

3

This depends on the kind of 2FA and of the policies of the service providers. If 2FA is strictly bound to a dedicated physical device (U2F token or similar) it should be kind of impossible to bypass it directly unless the attacker gets hold of this physical device. If 2FA is instead only implemented using an app on a mobile phone the attacker might additionally try to target the phone itself. If 2FA is SMS based there are even more attack vectors.

It also depends is the second factor is bound to the domain you visit (as in WebAuthn) or not (SMS and others). In the second case the attacker might trick you into entering the token into some look-a-like phishing site instead of the real one.

And finally it depends on what processes are implemented at the service provider in case of lost 2FA access. For example if there are only some (often easy to guess) security questions to answer in order to disable 2FA or change the phone number for SMS 2FA then it does not help a lot if the client still owns the original 2FA.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434