Two-factor authentication, the added security step that requires people enter a code sent to their phone or email, has traditionally worked to keep usernames and passwords safe from phishing attacks. However, security experts have demonstrated an automated phishing attack that can cut through that added layer of security—also called 2FA—potentially tricking unsuspecting users into sharing their private credentials. The attack was first demonstrated at the Hack in the Box Security Conference in Amsterdam last month. The hack employs two tools, called Muraena and NecroBrowser, which work in tandem to automate the attacks. Amit Sethi, senior principal consultant at Synopsys, who was not affiliated with the presentation, says that while attacks against 2FA have been demonstrated in the past, these tools “make one of these attacks easier to execute for lower-skilled attackers.” If that’s not an option, Sethi also says being vigilant can help thwart potential 2FA phishing attacks.