This website uses cookies to ensure you get the best experience on our website. Learn more
What IT Teams should do about security concerns around the new Google Authenticator sync feature
Recent news of security concerns around a new feature in Google Authenticator may have IT teams wondering if they need to adjust any reliance on the app for authentication within their networks or apps their organizations use.
Launched in 2010, the Google Authenticator mobile app provided a more secure 2FA option to SMS one-time codes. The enhanced security came from how it worked – the app’s codes were generated on the user’s phone and never traveled through insecure networks.
The new feature allows users to sync 2FA codes across devices through the cloud – something users have wanted for a long time. It eliminates the need to reset each code with a lost or stolen device as well as streamlining access to 2FA codes on a new phone.
However, Mysk researchers reported on Twitter that the sync is not encrypted:
“We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. Why is this bad? Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.”
Of course, this seems to contrary to the initial security offered by the app when it launched – that it provided an alternative to codes traveling through insecure networks.
SC Magazine summed up the concerns around the new secret sync feature for Google Authenticator:
“Researchers said the lack of encryption opens users up to data leakage and a possible Google account takeover. A successful attack gives a malicious actor access to the two-factor-authentication’s QR code used to generate a one-time code, allowing the bad actor to generate the same one-time code.”
The app is a very popular 2FA method, with over 100 million downloads on the Google Play store. However, this isn’t the first time security issues have been reported for Google Authenticator.
In 2020, an Android malware strain was reported as extracting and stealing one-time passcodes generated through Google Authenticator.
The app has also been previously flagged for lacking a passcode or biometric lock on the app itself, increasing the danger a lost device poses to an organization. This danger is of course increased for organizations who make use of BYOD where IT teams cannot wipe end user devices.
What Concerned IT Teams Can Do About Google Authenticator
The reality of this new feature from Google Authenticator is that the end user would have to turn this capability on so the immediate risk posed to an organization whose users are authenticating with the app is low.
However, concerned IT teams can still take action:
- Advise end users of this new feature and recommend they do not turn it on until Google offers end to end encryption for it.
- Make use of a flexible MFA platform where you can adjust how much weight a single factor of concern has in the user authentication process (like the platform that powers Specops uReset for Active Directory password resets – customers can see how to adjust their policies for situations like these in this post).
- Don’t neglect the password. Google Authenticator is often the second factor. The risk any security concerns around the app pose only arise if the attacker gets by the first wall of defense – the password. When it comes to protecting your organization’s AD passwords against this risk, make use of solutions like Specops Password Policy which can improve password security and protect against the use of over 4 billion unique compromised passwords.
The other thing to remember is that no single MFA factor is bulletproof. Each has their own potential vulnerabilities and security risks. The pragmatic IT team knows this and makes choices that balance these risks against end user requirements. Taking this approach with protecting MFA as well as passwords themselves helps mitigate against any single issue.
Questions about how to handle the risk of any one factor in your environment? Our team would love to help – contact us.
(Last updated on September 30, 2024)
Related Articles
-
What metrics should sysadmins use to show improvement over time?
To illustrate how essential IT systems are to the proper functioning of the business, system administrators should use a number of metrics to communicate key KPIs with non-technical leadership. This can help justify the overall budget of the IT department, as well as the future growth of systems and resources. Uptime of key systems One of the best places to start is by…
Read More -
Your password: separating the weak from the strong
You are probably familiar with the basics of password security: Complexity is a necessity; and length equals strength. If you have a social media or email account, chances are your password meets their minimum length and/or complexity requirements. But, with data breaches and security flaws a regular occurrence in our digital lives, doing the bare…
Read More -
Zero to hero: save your org from cyber-attack with a zero trust model
Zero trust mentality: sounds kinda harsh, doesn’t it? Here at Specops it doesn’t mean we can’t trust our colleagues not to eat our yogurt out of the office fridge, but it does mean we lock our computers before leaving them unattended – yes, even at home. Find out more about the zero trust model in…
Read More