The private testing has started!

Blog How to bypass Gmail and Google 2-step verification on Android devices

Please, mind this article is being drafted or rewritten and may contain imperfections. It has not been yet reviewed for final publication.

In addition to passwords, 2FA is a way to add extra protection to your online accounts. But you sometimes need to turn off 2FA for a variety of reasons. This article will show you how to bypass 2FA or factory reset protection.

What is two-factor authentication (2FA)?

Two-factor authentication is an additional layer of protection over existing login information. This ensures that the person trying to log into the online Account is who you are.

2FA kicks in immediately after entering your username and password but before accessing the Account. But with 2FA Gmail, you need to provide additional information.

E.g.:

  • Somethings you own. (Tokens, smartphones, credit or debit cards, etc.)
  • Things you know. (PINs, keystroke patterns, passwords or answers to secret questions, etc.)
  • Your identity. (Biometric patterns, iris scans, audio recordings, fingerprints, handprints, etc.)

What does Google Account Verification do?

According to Litmus, in June 2018, 46% of emails were opened on mobile devices.

However, mobile phones can sometimes be lost or even stolen. That's why Google introduced new security features in Lollipop 5.1. The biggest of these is Factory Reset Protection (FRP) or Google Account Verification.

Before Android 5.1 Lollipop, Google's 2-step verification could be bypassed on a device with a simple factory reset.

Starting with Lollipop, this is no longer the case. Conversely, suppose you attempt a factory reset to bypass Google Account verification. In that case, the following message will appear on the device screen:

This device has been reset. Continue to sign in with the Google Account that was previously synced on this device.

Obviously, this is a great way to protect your device if it's stolen or lost.

How to turn on 2FA Gmail protection?

To enable 2FA for Google Account Verification, please refer to Google Support:

  1. Go to your Google Account by clicking on your picture and selecting Manage Your Google Account.
  2. Select Security from the left navigation panel.
  3. Select 2-step verification under Signing into Google.
  4. Click the Get Started button and follow the steps on the screen.

Now let's say you forgot or lost your 2FA and need it to verify your Google account. How to bypass 2FA Gmail protection?

How to bypass 2FA.

Of course, there are several ways to do this. We'll discuss the five most common methods, but if you're interested, read this KnowBe4's report, which mentions 11 Ways to bypass Google's 2-step verification.

Use the password reset function

That's what the hacker did in the example above. They sent a fake Gmail alert, phished an SMS token, and ended up having their victims reset their passwords.

Use the OAuth mechanism

Another 2FA Gmail bypass method uses a 3rd party login mechanism called OAuth. If you're not familiar with OAuth, this is when you log into another account using Google or Facebook.

While it's a convenient way to log into websites, and Google or Facebook should be safe, it's also a way for hackers to bypass 2FA. Instead, they can use the OAuth integration to log in without needing login credentials.

Use race conditions

A race condition is the reuse of a previously known value, such as an application's ability to use a used or unused token later. To do this, hackers first need access to those previous values, which they can obtain by intercepting previous code.

Use brute-force

If the input field is not rate limited, attackers can try to brute-force 2FA codes, especially number-based codes. Since the standard length of a code is 4-6 digits, there are only 151,800 possibilities. You don't need a supercomputer to crack it.

Use social engineering

To do this, the hacker must have the target username and password. With this, they can send the victim an email with a Google verification code request sent to the target number. Once the target sends the code, the attacker can easily bypass 2FA.

In another scenario, hackers can trick users into clicking on a phishing link in an email, where the user will provide their credentials.

Hackers can then use these to log into the actual site. When the target also receives and enters the code, the hacker sees this on the fake site and can enter the code on the real site to bypass 2FA.

According to Amnesty International report, in 2018, hackers bypassed 2FA verification for Gmail and Yahoo.

The user first received a fake Gmail security alert. Notify them that their accounts were compromised and their passwords had to be changed. They were then sent to a fake Google or Yahoo site where they had to enter their login credentials.

From this page, the target is redirected to another page telling them that they have received the Google Verification registration code via SMS. After entering the code, the user will see a password reset form. If they reset their passwords, hackers can use them to gain access to their accounts. Since Google spoof email looks like a legitimate email from Google, many people are spoofed.

In addition, the hackers even created phishing sites for secure email services such as ProtonMail and Tutanota.

Bypass APK Bypass Google Account Verification Lock Using FRP

Many Samsung users report that this FRP Bypass method works for them.

In this case, you need:

Steps:

  1. Download FRP Bypass APK and copy it to a USB flash drive.
  2. Reboot your Android device (press and hold the power and volume down keys for more than 7 seconds).
  3. Connect the phone to the WiFi network (Skip the Insert SIM card screen.)
  4. Tick I understand and agree to the above terms and conditions and No, thank you.
  5. Click Next.
  6. When you see the FRP Lock message, insert the USB stick into your PC.
  7. Connect your Android and PC with OTG cable and wait for File Manager to start.
  8. In the file manager, tap Bypass any Samsung account locks.
  9. Tap the next folder to open it, then tap the .txt file: Bypass any Samsung Lock.apk.
  10. When the Install Blocked message appears, click the Settings button.
  11. Go to Unknown Sources in Settings (gear icon.)
  12. Check Allow this install only and click OK.
  13. On the Development Settings screen, click Install under Do you want to install this application?.
  14. Click Open after installation is complete.
  15. Go to Settings and select Backup & Reset.
  16. Click Factory data reset on your phone.
  17. Next, click Erase Everything and wait a few minutes for it to finish.
  18. The phone will now reset, and you will see the initial setup screen.
  19. Finally, unplug the OTG cable from your device and set it up again. FRP bypass complete.

Disable FRP bypass by deleting your Google account

This method works if you're the one selling cell phones. step:

  1. Open Settings on your phone.
  2. Click Account.
  3. Select your Google account.
  4. Click Remove Account and confirm.

Bypass Google Account Verification from Settings

To bypass Google 2-step verification during setup, follow the steps:

  1. Navigate to Settings > General Settings > Reset.
  2. Follow the setup process until you get to Connect to a WiFi network.
  3. Tap the WiFi Password text box.
  4. A Google Keyboard will appear. Click and hold the space bar and select English (or your native language.)
  5. Go to the WiFi connection screen and enter your network password.
  6. After a while, you will be prompted to enter your Google Account information. Enter your email address.
  7. Press and hold the @ symbol.
  8. Go to Google Keyboard Settings.
  9. Tap the menu (three dots).
  10. Select Help and Feedback
  11. On the next screen, select Search Google and send results from your keyboard.
  12. This will open a web page. Press and hold anywhere until the menu appears.
  13. Click Web Search.

Ready to join Liverado? Start your free 14-day trial today.