Jump to content

Avoiding Phone Verification When I have Email Password + User Agent + IP Address?


Recommended Posts



I'v been a outside lurker on this forum for a while, and I finally decided to join today because I'm pretty much stuck on this.


Now, assuming I have the credentials like these {{mail: xxxx@yahoo.com, password: LongliveHack5, IP Address:, Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36}}, how can I log into an email account without triggering the phone verification process? I am specifically interested in yahoo, gmail and hotmail accounts. 


So far, I have tried matching socks5 to the IP address, using VPN that matches same country/city, and and worked with mozilla, chrome, opera mini, UC browers from my computer, and also tried a couple of options on phone/tablets, but nothing has worked so far. On each occassion, I keep on getting prompts to verify the phone because the browser somehow categorizes me as a new user. 


My aim for this is to copy browser agents and IP addresses (of course with the matching username and passwords) from a different computer to use on my computer without being bothered by the annoying phone verification part. If you can help or guide me, I'll greatly appreciate it. And for purposes of full disclosure, am a bit of a noob in this, so please make your answer noob-friendly:) An alternative would be for anyone to give me any tips to bypass the phone authentication on emails when I DONT have the cookies from the original browser.


Thank you in advance for your time and consideration!

Link to comment
Share on other sites

It depends dude. Not all email accounts have 2 factor auth. Try registering some valid email accounts yourself on google, hotmail, etc and try logging under different circumstances i.e. VPNs from different countries, different browsers, etc to see what triggers the additional authentication. They might even profile each user to see their patterns of use and any anomalies to those patterns might trigger the additional auth.

If the loggins you got are from a list that has been distributed or sold to others who have also tried to log in to those accounts then forget about it. Those accounts would be on a watch list and you'll have a next to nothing chance of getting in.

I have a friend that works in IT who said they use 20 different criteria to fingerprint individuals logging into their site. Aside from browser and OS they use things like screen resolution, local PC time, language, etc.

Also, I have heard of people porting phone numbers to receive the 2FA messages but I neither condone nor recommend that.

Edited by icarus255
Link to comment
Share on other sites

Ill suggest trying burp suit, connect your browser to burps proxy and accept the agent.


If your trying to sidejack traffic. It seems doable. at some point you should be able to make the system think you are already a authenticated machine. 


burp will give you the best control and view of each header and the ability to modify the header. A controlled test environment.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...