Two-factor authentication is being touted by many as the "next big thing" in security, and as such is increasingly being adopted by enterprises. Of course, as with any highly-hyped security technology, there exist numerous flaws, and even the most mature implementations can be bypassed. The first half of this talk goes over the design, implementation, and effectiveness of a credential harvester the authors built that steals both username-password pairs and two-factor authentication tokens. The second half focuses on practically mitigating attacks like these, and provides suggestions and guidance for people currently rolling out two-factor authentication to avoid and detect this kind of attack in their environments.