Two-Factor Authentication Is Unsafe: The Discovery of Three Italian Researchers

L’two-factor authentication (also known as 2FA, 2 factor authentication) is a step we are accustomed to by now to carry out many operations: since the end of 2020 in Europe it is mandatory for all online transactions, but in general it is a mechanism to protect many aspects of our life digital. The reason behind its increasingly widespread adoption within the tech landscape obviously lies in the degree of security it is able to guarantee, requiring the joint use of two different individual authentication methods (an ID, a One Time Password, a code received via email, SMS or app). And it is precisely the security of this system that is now starting to creak dangerously.

They raised the question three Italian researchers of the University of Salento: Franco Tommasi, Christian Catalano and Ivan Taurino. In fact, scholars have been able to elaborate a system capable of breaking two-factor authentication: the tactic has been baptized BitM – Browser-in-the-Middle-attack – and it resembles classic phishing in its modalities, but with one fundamental difference.


BitM attacks have in common the first steps with traditional phishing: it all lies in theget in touch with the victim and push them to open a link (for example through an email pretending to be a bank). But if normally the purpose of phishing is to obtain sensitive user data by leading them to a fake site and prompting them to enter their credentials, thus delivering them to the hacker, BitM instead brings the user in front of the real site. And that’s why it can be even more dangerous, since victims have even fewer opportunities and clues to notice that something is wrong.

Basically the three Italian scholars have proved that andthere is the possibility for cybercriminals to enter communications between the user and the site by making them view another browser within the browser that has the role of intermediary: this explains the acronym chosen to define this type of technique, Browser-in-the-Middle-attack, i.e. an attack that uses a median browser.

Professor Franco Tommasi illustrated the method as follows in a statement issued to La Repubblica:

The method is based on the same protocol used to control the screen of a remote computer. In our case, the victim views the attacker’s screen, a full-screen web browser that is actually ‘visiting’ the authentic site. The victim thus interacts with the attacker’s computer without realizing it, believing that he is visiting the authentic site.


The article signed by Tommasi, Catalano and Taurino describing the problem appeared in the magazine International Journal of Information Security already a year ago, on April 17, 2021. The researchers, before publishing it, have chosen to alert tech giants such as Google, Apple and Mozilla as a precaution. But after all this time the preconditions for the attack to work still remain intact, and there is currently no solution to this weakness.

This is demonstrated by the attack of the hacker mr.d0x who tested the effectiveness of the BitM method on February 23, 11 months after the alarm launched by the Italian team, which also tried to steal the authorship of the discovery. claiming it on Twitter and then blocking the accounts of the scholars who had intervened to mislead it.

Currently, therefore, the best (and only) possible defense is always attention and prudence: for hackers to be successful, the user must always fall into the phishing trap first. Without this premise, no attack is possible: and yet, as much as most users manage to avoid it, there is always someone who falls for inexperience or distraction.

Leave a Comment