Waxaa laga yaabaa inaad u maleyso in awood u yeelashada aqoonsiga laba-factor ee akoonkaaga ay 100% ka dhigayso mid sugan. Xaqiijinta laba-factor^{(Two-factor authentication)} ayaa ka mid ah hababka ugu fiican ee lagu ilaaliyo akoonkaaga. Laakiin waxaa laga yaabaa inaad la yaabto inaad maqasho in akoonkaaga la afduubi karo inkasta oo la awoodo xaqiijinta laba arrimood. Maqaalkan, waxaan kuu sheegi doonaa siyaabaha kala duwan ee ay weerarayaashu uga gudbi karaan xaqiijinta laba-geesoodka ah.

Waa maxay Xaqiijinta Laba-Factor ( 2FA^{(Authentication)} )?

Kahor intaanan bilaabin, aan aragno waxa 2FA yahay. Waad ogtahay in ay tahay inaad geliso furaha sirta ah si aad u gasho akoonkaaga. La'aanteed erayga sirta ah ee saxda ah, ma geli kartid. 2FA waa habka lagu daro lakab ammaan oo dheeraad ah akoonkaaga. Kadib markaad awood u yeelatid, ma geli kartid akoonkaaga adiga oo galaya erayga sirta ah oo kaliya. Waa inaad dhammaystirtaa hal tallaabo oo ammaan oo dheeraad ah. Tani waxay ka dhigan tahay 2FA, shabakadu waxay ku xaqiijisaa isticmaalaha laba tallaabo.

Akhri^(Read) : Sida loo sahlo xaqiijinta 2-tilaabo ee Koontada Microsoft^{(How to Enable 2-step Verification in Microsoft Account)} .

Sidee buu 2FA u shaqeeyaa?

Aynu fahamno mabda'a shaqada ee xaqiijinta laba-factor. 2FA waxay kaaga baahan tahay inaad laba jeer iska hubiso. Markaad geliso isticmaalekaaga iyo eraygaaga sirta ah, waxaa laguu wareejin doonaa bog kale, halkaasoo ay tahay inaad keento caddayn labaad oo ah inaad tahay qofka dhabta ah ee isku dayaya inuu galo. Mareegaha ayaa isticmaali kara mid ka mid ah hababka soo socda ee xaqiijinta:

OTP (One Time Password)

Kadib gelida erayga sirta ah, shabakadu waxay kuu sheegaysaa inaad iska hubiso adiga oo gelaya OTP -ga laguugu soo diray lambarkaaga mobilada ee diiwaangashan. Kadib markaad geliso OTP^(OTP) saxda ah , waxaad gali kartaa akoonkaaga.

Ogeysiinta degdega ah

Ogeysiis degdeg ah ayaa lagu soo bandhigayaa taleefankaaga casriga ah haddii uu ku xiran yahay intarneedka. Waa inaad iska hubisaa adiga oo taabsiinaya badhanka " Haa ". ^(Yes)Intaa ka dib, waxaa lagugu soo gali doonaa akoonkaaga PC-gaaga.

Codsiyada kaabta

Koodhadhka kaabta^(Backup) ayaa faa'iido leh marka labada hab ee kor ku xusan ee xaqiijinta aysan shaqeyn doonin. Waxaad gali kartaa akoonkaaga adiga oo geliya mid ka mid ah koodhadhka kaydka ah ee aad ka soo dejisay akoonkaaga.

App-ka Xaqiijiye

Habkan, waa inaad akoonkaaga ku xidhaa app-ka xaqiijinta. Mar kasta oo aad rabto inaad gasho akoonkaaga, waa inaad gelisaa koodka ka muuqda app-ka xaqiijinta ee ku rakiban taleefankaaga casriga ah.

Waxaa jira dhowr habab oo kale oo xaqiijin ah oo mareegaha uu isticmaali karo.

Akhri^(Read) : Sida Loogu Daro Xaqiijinta Laba-tallaabo Koontadaada Google^{(How To Add Two-step Verification To Your Google Account)} .

Siday Hackers-ku u heli karaan xaqiijinta laba-factor^{(Two-factor Authentication)}

Shaki la'aan, 2FA waxay akoonkaaga ka dhigaysaa mid ammaan badan. Laakin wali waxaa jira siyaabo badan oo ay haakarisku uga gudbi karaan lakabkan amniga.

1] Xatooyo kukiyada^{(Cookie Stealing)} ama afduubka fadhiga^{(Session Hijacking)}

Xatooyo buskud ama afduubka fadhiga^{(Cookie stealing or session hijacking)} waa habka lagu xado buskudka isticmaaleha. Marka uu jabsadayhu uu ku guulaysto xaday buskudka fadhiga, waxa uu si fudud u dhaafi karaa xaqiijinta laba arrimood. Weeraryahanadu waxay yaqaaniin habab badan oo wax lagu afduubto, sida hagaajinta fadhiga, urinta fadhiga, qorista boggaga, weerarka malware, iwm. Evilginx waxay ka mid tahay qaab-dhismeedka caanka ah ee ay isticmaalaan haakarisku si ay u fuliyaan weerarka dhex-dhexaadka ah. Habkan, hackers-ku wuxuu u soo diraa isku xirka phishing kan isticmaala kaas oo geynaya bogga gelitaanka wakiil. Marka isticmaaluhu uu galo akoonkiisa isagoo isticmaalaya 2FA, Evilginx waxay qabsanaysaa^(Evilginx) aqoonsigiisa gelitaanka oo ay la socoto koodka aqoonsiga. Tan iyo OTPdhacayaa ka dib isticmaalka iyo sidoo kale ansax ah waqti go'an, ma jiraan wax faa'iido ah oo ku saabsan qabashada koodka aqoonsiga. Laakin hackers-ku waxa uu haystaa cookies-ka fadhiga isticmaalaha, kaas oo uu isticmaali karo si uu u galo akoonkiisa oo uu uga gudbo xaqiijinta laba arrimood.

2] Kobcinta Koodhka

Haddii aad isticmaashay abka Google Authenticator , waxaad ogtahay inay soo saarto kood cusub wakhti gaar ah kadib. Google Authenticator iyo abka kale ee xaqiijinta waxay ku shaqeeyaan algorithm gaar ah. Soo-saareyaasha koodka random^(Random) -ka guud ahaan waxay ku bilaabaan qiimaha iniinaha si ay u dhaliyaan lambarka koowaad. Algorithm-ka ayaa markaa adeegsada qiimahan ugu horreeya si uu u soo saaro qiyamka koodka ee hadhay. Hadii uu jabsadayhu awoodo in uu fahmo algorithm-kan, waxa uu si fudud u samayn karaa kood nuqul ka samaysan oo uu galo xisaabta isticmaalaha.

3] Xoog ba'an

Brute Force waa farsamo lagu soo saaro dhammaan isku darka sirta ah ee suurtogalka ah. Waqtiga dildilaaca erayga sirta ah iyadoo la isticmaalayo xoog cad waxay ku xiran tahay dhererkiisa. Mar kasta oo erayga sirta ah uu dheer yahay, ayaa wakhti badan ay qaadanaysaa in la jabiyo. Guud ahaan, koodka xaqiijinta waxay ka yihiin 4 ilaa 6 nambar dheer, haakarisku waxay isku dayi karaan isku day xoog ah oo ay ku doonayaan inay kaga gudbaan 2FA. Laakiin maanta, heerka guusha ee weerarrada xoogga waa yar yahay. Tani waa sababta oo ah koodka xaqiijintu waxa uu sii jiraa oo keliya muddo gaaban.

4] Injineernimada Bulshada

Injineerinka Bulsho waa farsamada uu weeraryahanku isku dayo inuu khiyaaneeyo maskaxda isticmaalaha oo uu ku qasbo inuu galo aqoonsigiisa bog gal been abuur ah. Dhib malaha haddii uu weerarku yaqaan magacaaga isticmaale iyo eraygaaga sirta ah iyo in kale, wuu dhaafi karaa xaqiijinta laba arrimood. Sidee? Aan aragno:

Aynu tixgelinno kiiska ugu horreeya ee uu qofka wax weeraray uu yaqaan magacaaga isticmaale iyo eraygaaga sirta ah. Ma geli karo akoonkaaga sababtoo ah waxaad karti gelisay 2FA. Si aad u hesho koodka, waxa uu kuu soo diri karaa iimaylo leh xidhiidh xaasidnimo leh, isaga oo kugu abuuraya cabsi ah in akoonkaaga la jabsado haddii aanad tallaabo degdeg ah qaadin. Markaad gujiso xiriirkaas, waxaa laguu wareejin doonaa bogga hacker-ka kaas oo u ekaysiinaya xaqiiqada bogga mareegaha asalka ah. Markaad gasho lambarka sirta ah, akoonkaaga waa la jabsan doonaa.

Hadda, aynu soo qaadanno kiis kale oo uu jabsadayhu aanu garanayn magaca isticmaalaha iyo eraygaaga sirta ah. Mar labaad^(Again) , kiiskan, wuxuu kuu soo diri isku xirka phishing wuxuuna xado magacaaga isticmaale iyo eraygaaga sirta ah oo uu la socdo koodhka 2FA.

5] OAuth

Is dhexgalka OAuth^(OAuth) waxa ay siisaa isticmaalayaasha tasiilaad ay ku galaan akoonkooda iyaga oo isticmaalaya akoon cid saddexaad. Waa codsi shabakadeed sumcad leh oo adeegsada calaamado oggolaansho si loo caddeeyo aqoonsiga ka dhexeeya isticmaalayaasha iyo bixiyeyaasha adeegga. Waxaad OAuth u tixgelin kartaa hab kale oo aad ku gasho akoonnadaada.

Habka OAuth wuxuu u shaqeeyaa sida soo socota:

1. Goobta A waxay codsanaysaa Bogga B^{(Site B)} (tusaale Facebook ) calaamada aqoonsiga.
2. Bogga B^{(Site B)} waxa ay tixgelisaa in codsiga uu soo saaray isticmaaluhu oo ay xaqiijiso akoonka isticmaalaha.
3. Bogga B^{(Site B)} ayaa markaas soo diraya koodka dib-u-warcida oo u ogolaata weeraryahanku inuu soo galo.

Nidaamyada kor ku xusan, waxaan ku aragnay in weeraryahanku uusan u baahnayn inuu naftiisa ku caddeeyo 2FA. Laakin si habkan la dhaafo uu u shaqeeyo, hacker-ku waa in uu haystaa akoonka isticmaalaha iyo erayga sirta ah.

Tani waa sida ay tuugadu uga gudbi karaan xaqiijinta laba arrimood ee xisaabta isticmaalaha.

Sidee looga hortegayaa 2FA oo dhaafa?

Haakarisku runtii way dhaafi karaan xaqiijinta laba-geesoodka ah, laakiin qaab kasta, waxay u baahan yihiin ogolaanshaha isticmaalayaasha taasoo ay ku helaan iyagoo khiyaamaynaya. Iyadoo aan la khiyaanayn isticmaalayaasha, ka gudubka 2FA suurtagal maaha. Sidaa darteed^(Hence) , waa inaad tixgelisaa qodobbada soo socda:

• Kahor intaadan gujin xiriiriye kasta, fadlan hubi xaqiiqadiisa. Waxaad tan ku samayn kartaa adiga oo hubiya ciwaanka iimaylka soo diraha
• Samee furaha sirta ah ee xooggan^{(Create a strong password)} oo ka kooban isku-dar alifbeetada, nambarada, iyo xarfo gaar ah.
• Isticmaal^(Use) kaliya abka xaqiijinta dhabta ah, sida Google auhenticator, Microsoft auhenticator, iwm.
• Soo deji^(Download) oo kaydi koodka kaydka ah meel aamin ah.
• Waligaa ha aaminin iimaylada phishing-ka ee jabsadayaashu u adeegsadaan inay ku khiyaameeyaan maskaxda isticmaalayaasha.
• Cidna ha la wadaagin summada ammaanka
• Ku deji^(Setup) furaha amniga akoonkaaga, beddelka 2FA.
• Si joogto ah u beddel eraygaaga sirta ah.

Akhriso^(Read) : Talooyin aad kaga ilaalinayso tuugada kombiyuutarkaaga Windows^{(Tips to Keep Hackers out of your Windows computer)} .

Gabagabo

Xaqiijinta laba-factor waa lakab ammaan oo waxtar leh oo ka ilaaliya akoonkaaga afduubka. Hackers waxay had iyo jeer rabaan inay helaan fursad ay kaga gudbaan 2FA. Haddii aad ka warqabto habab kala duwan oo jabsiga oo aad si joogto ah u beddesho eraygaaga sirta ah, si fiican ayaad akoonkaaga u ilaalin kartaa.

How Hackers can get around Two-factor Authentication

You may think that enabling two-factor authentication on your account makes it 100% secure. Two-factor authentication is among the best methods to protect your account. But you may be surprised to hear that your account can be hijacked despite enabling two-factor authentication. In this article, we will tell you the different ways by which attackers can bypass two-factor authentication.

What is Two-factor Authentication (2FA)?

Before we begin, let’s see what 2FA is. You know that you have to enter a password to log into your account. Without the correct password, you cannot log in. 2FA is the process of adding an extra security layer to your account. After enabling it, you cannot log into your account by entering the password only. You have to complete one more security step. This means in 2FA, the website verifies the user in two steps.

Read: How to Enable 2-step Verification in Microsoft Account.

How Does 2FA Work?

Let’s understand the working principle of two-factor authentication. The 2FA requires you to verify yourself two times. When you enter your username and password, you will be redirected to another page, where you have to provide a second proof that you are the real person trying to log in. A website can use any of the following verification methods:

OTP (One Time Password)

After entering the password, the website tells you to verify yourself by entering the OTP sent on your registered mobile number. After entering the correct OTP, you can log into your account.

Prompt Notification

Prompt notification is displayed on your smartphone if it is connected to the internet. You have to verify yourself by tapping on the “Yes” button. After that, you will be logged into your account on your PC.

Backup Codes

Backup codes are useful when the above two methods of verification won’t work. You can log into your account by entering any one of the backup codes you have downloaded from your account.

Authenticator App

In this method, you have to connect your account with an authenticator app. Whenever you want to log into your account, you have to enter the code displayed on the authenticator app installed on your smartphone.

There are several more methods of verification that a website can use.

Read: How To Add Two-step Verification To Your Google Account.

How Hackers can get around Two-factor Authentication

Undoubtedly, 2FA makes your account more secure. But there are still many ways by which hackers can bypass this security layer.

1] Cookie Stealing or Session Hijacking

Cookie stealing or session hijacking is the method of stealing the session cookie of the user. Once the hacker gets success in stealing the session cookie, he can easily bypass the two-factor authentication. Attackers know many methods of hijacking, like session fixation, session sniffing, cross-site scripting, malware attack, etc. Evilginx is among the popular frameworks that hackers use to perform a man-in-the-middle attack. In this method, the hacker sends a phishing link to the user that takes him to a proxy login page. When the user logs into his account using 2FA, Evilginx captures his login credentials along with the authentication code. Since the OTP expires after using it and also valid for a particular time frame, there is no use in capturing the authentication code. But the hacker has the user’s session cookies, which he can use to log into his account and bypass the two-factor authentication.

2] Duplicate Code Generation

If you have used the Google Authenticator app, you know that it generates new codes after a particular time. Google Authenticator and other authenticator apps work on a particular algorithm. Random code generators generally start with a seed value to generate the first number. The algorithm then uses this first value to generate the remaining code values. If the hacker is able to understand this algorithm, he can easily create a duplicate code and log into the user’s account.

3] Brute Force

Brute Force is a technique to generate all the possible password combinations. The time for cracking a password using brute force depends on its length. The longer the password is, the more time it takes to crack it. Generally, the authentication codes are from 4 to 6 digits long, hackers can try a brute force attempt to bypass the 2FA. But today, the success rate of brute force attacks is less. This is because the authentication code remains valid only for a short period.

4] Social Engineering

Social Engineering is the technique in which an attacker tries to trick the user’s mind and forces him to enter his login credentials on a fake login page. No matter whether the attacker knows your username and password or not, he can bypass the two-factor authentication. How? Let’s see:

Let’s consider the first case in which the attacker knows your username and password. He cannot log into your account because you have enabled 2FA. To get the code, he can send you an email with a malicious link, creating a fear in you that your account can be hacked if you do not take immediate action. When you click on that link, you will be redirected to the hacker’s page that mimics the authenticity of the original webpage. Once you enter the passcode, your account will be hacked.

Now, let’s take another case in which the hacker does not know your username and password. Again, in this case, he sends you a phishing link and steals your username and password along with the 2FA code.

5] OAuth

OAuth integration provides users with a facility to log into their account using a third-party account. It is a reputed web application that uses authorization tokens to prove identity between the users and service providers. You can consider OAuth an alternate way to log into your accounts.

An OAuth mechanism works in the following way:

1. Site A requests Site B (e.g. Facebook) for an authentication token.
2. Site B considers that the request is generated by the user and verifies the user’s account.
3. Site B then sends a callback code and lets the attacker sign in.

In the above processes, we have seen that the attacker does not require to verify himself via 2FA. But for this bypass mechanism to work, the hacker should have the user’s account username and password.

This is how hackers can bypass the two-factor authentication of a user’s account.

How to prevent 2FA bypassing?

Hackers can indeed bypass the two-factor authentication, but in each method, they need the users’ consent which they get by tricking them. Without tricking the users, bypassing 2FA is not possible. Hence, you should take care of the following points:

• Before clicking on any link, please check its authenticity. You can do this by checking the sender’s email address.
• Create a strong password that contains a combination of alphabets, numbers, and special characters.
• Use only genuine authenticator apps, like Google authenticator, Microsoft authenticator, etc.
• Download and save the backup codes at a safe place.
• Never trust phishing emails that hackers use to trick the users’ minds.
• Do not share security codes with anyone.
• Setup security key on your account, an alternative to 2FA.
• Keep changing your password regularly.

Read: Tips to Keep Hackers out of your Windows computer.

Conclusion

Two-factor authentication is an effective security layer that protects your account from hijacking. Hackers always want to get a chance to bypass 2FA. If you are aware of different hacking mechanisms and change your password regularly, you can protect your account better.

Related posts

• Sida loo suurtageliyo Xaqiijinta Laba-Arag ee Discord

• Sida Saxda Ah Loo Dejiyo Soo kabashada iyo Xulashada Kaabaynta ee Xaqiijinta Laba-Arrin

• Sida loo rakibo Drupal adoo isticmaalaya WAMP Windows

• Ugu Fiican Software & Hardware Seeraar boorsada Windows, iOS, Android

• Ku samee Xarunta Raadiyaha Internetka oo bilaash ah Windows PC

• Automate.io waa qalab otomaatig ah oo bilaash ah iyo beddelka IFTTT

• Sida loo isticmaalo Template si loogu sameeyo dukumeenti LibreOffice

• Talooyin, Qalab & Adeegyo Maareynta Sumcada ee khadka tooska ah

• Waa maxay Daaqadda Doqonnimo - Sharaxaada iyo Kahortagga

• Sidee loo Xidhaa Koontadaada Payoneer?

• Sida erayga sirta ah loogu ilaaliyo oo loo ilaaliyo dukumeenti PDF LibreOffice

• Software-ka Buuga Xusuus-qorka Dijital ah ee Sugan ee Bilaashka ah ee ugu Fiican & Adeegyada khadka

• Qalabka ugu fiican ee SMS-ka looga soo diro bilaash

• Koontada kuma xidhna akoon Mixer

• Disqus sanduuqa faallooyinka oo aan soo dejinaynin ama muujinaynin mareegaha

• App-ka fariimaha kullanku waxa uu bixiyaa ammaan xooggan; Lambar telefoon looma baahna!

• Maamulaha Aqoonsiga Microsoft: Astaamaha, Soo dejinta

• Miisaska Laptop-ka ee ugu Wanaagsan ee lagu iibsado onlayn

• Indhaha NASA waxay kaa caawinayaan inaad sahamiso Caalamka sida Cirbixiyeennada

• Sida loo rakibo Windows 95 on Windows 10