Comment
For personal use, watch out if you use Google Authenticator with sync to the cloud feature. If your Google account is compromised, e.g. you get phished:
-
Your 2FA for other accounts might be compromised as well.
-
If you use the GMail address for other accounts’ password recovery, the passwords for those accounts may be reset/compromised too, regardless of how complex the passwords are.
Question
For personal use, because “Google Prompt” on an Android device is automatically the default 2FA for Google account, can you delete this default 2FA method and just enable a FIDO2 key on Google’s account?
Summary
Google’s Authenticator app, designed for generating Multi-Factor Authentication (MFA) codes, was criticized by a security company called Retool for exacerbating a recent internal network breach. The breach occurred when an employee received a deceptive text message, leading them to share their login credentials, including a Temporary One-Time Password (TOTP), with the attackers. The situation escalated due to Google’s Authenticator sync feature introduced in April, which allowed the attackers to compromise multiple company accounts once they gained access to the employee’s Google account.
This synchronization feature stored MFA codes in the cloud, making them vulnerable if the Google account was compromised. Retool argued that Google employed unclear settings for disabling this feature, making it challenging for users and administrators to prevent. As a result, the attackers exploited this vulnerability to gain access to various accounts, including VPNs and internal systems, enabling them to take over specific customer accounts in the cryptocurrency industry.
Retool’s security shortcomings were also highlighted, as they relied on TOTPs, which can be phished with relative ease, instead of adopting more secure industry-standard MFA solutions like FIDO2. While Google defended its syncing feature, emphasizing its benefits for user convenience, they acknowledged the preference for local storage of OTPs in enterprise environments.
There’s a good argument to be made that Retool used the Google Authenticator issue to deflect attention away from Retool’s culpability in the compromise.
In conclusion, the incident underscores the importance of adopting FIDO2-compliant MFA for robust security, while Google’s Authenticator app is seen as a middle-ground option that may be inadequate for enterprises where security is paramount.
Off on a tangent here, but I think now is the proper time to say that people, when it comes to security, have no idea what’s good for them.
Before Google implemented this cloud sync feature, people were constantly complaining online about how they really wanted their TOTP codes to sync when they got a new phone. Nobody stops to consider the security implications of chasing convenience, but if you stop to warn them, suddenly you’re the bad guy for creating problems or “opposing their solution”.
You need some form of backup though or you can lose access to your accounts if you lose/break your phone. A lot of sites give one time use backup codes but not all, and you still need somewhere secure to store those.
You need to print them out and put them in a drawer. No need to overthink this one,
Same goes for the MFA secrets, just print the whole list.
Yes that exposes you to a whole different type of attacks but they’re a lot more targeted and I would argue that as a functioning adult one has to deal with storing some sensitive physical papers at some point anyway.
This is what crypto wallets recommend you do. I don’t see why that’s a bad solution for backing up.
A note in your password safe is secure enough.
That’s what I do. But now thanks to Google I must change them…
That takes your multi factor and gives it a single point of weakness again, undermining the whole point. If your password safe is compromised, the attacker now has both the password and a code.
I think the problem here was using Google as the account email, the password vault, and the TOTP sync. If they at least had separate services, such as using Microsoft Authenticator for TOTP instead of Google, it would have been harder to compromise everything.
When I was in cybersecurity the most irritating argument someone tried to use to get approval was “everything is hackable nowadays so the requirements are unnecessarily difficult”. They might have had a point if we weren’t talking about HIPAA compliance…
This is like saying every lock is pickable so don’t lock the door at all.
They only way I sync my 2FA codes is in an encrypted json to my own hard drive via a sync app to my NAS.
Can it be exploited? Certainly.
Will I be a target at home? Probably not. More likely at work.