World is cruel in reality and is same online. Data preachers, script kiddies, corporate hackers, pentesters, they all fall under same category of attacking on web properties and exploiting it to the extent.
Some do it for noble cause but some do it for gaining monetary benefits or simply for fun.
A website has many critical points via which attack can happen and destruction can be made. It is dependent upon the motive for which the hack is attempted.
There are basically few motives behind exploiting a web property. These motives are:
To test stability and security: This often is the case generated by security researchers and practitioners where they test a website’s stability and security by implementing different level of stress tests and finding loopholes so as to bypass authentication and test un-authorized manipulations.
Compromising data on server: Cleaning up whole data from server with intention to hurt reputation .
Extracting data from server: This is yet another popular motive for hackers. Stealing data and selling data to competitor or in black market.
Sometimes it can be done for personal purpose also.
Gaining access to account and use it for unauthorized use: This type of exploitation is mainly targeted. Most of the time the targets are known and are followed upon in order to get their credentials by any means.
Social engineering, eavesdropping while authentication, keyloggers etc. are some of the popular way it is executed.
One of the popular attacks mentioned above is eavesdropping. Hackers tracks the data transferred while authentication and decode it into plain text using different methods.
This data can include sensitive information like username and passwords, secret access token keys, which upon revelation can be used publicly for any purpose.
Two factor authentication is capable of securing websites from attacks which are pre-targeted and are implemented before, on or after authentication.
As the name suggests, two factor, is a two step verification which can be implemented after any process to verify genuineness of access.
Two factor authentication is a sms based two factor authentication where the genuineness of user is validated using SMS. The second authentication factor can be executed by an automated phone call or sms on registered mobile number by providing a code with a custom expiration time.
The user has to input the code in that custom time and validate themselves.
A cross check over authentications while authentication is a closure of gates to the hackers which try to exploit and bypass authentication or obtain credentials unethically for unauthorized use.
In a real life scenario if someone has the credentials to account, they can only make it up to two factor check and will never get beyond it.
This way 2FA can be considered one of the helpful implementations on a website to improve website security.