The danger with Google’s new cloud backup for 2FA authenticator
Google’s new 2FA authenticator update could leave users vulnerable to single-point hacks and “SIM swapping” scams.
Google released an update for its popular authenticator app that stores a “one-time code” in cloud storage, allowing users who have lost the device with their authenticator on it to retain access to their two-factor authentication (2FA).
In an April 24 blog post announcing the update, Google said the one-time codes will be stored in a user’s Google Account, claiming that users would be “better protected from lockout” and it would increase “convenience and security.”
In an April 26 Reddit post to the r/Cryptocurrency forum, Redditor u/pojut wrote that while the update does assist those who lose the device with their authenticator app on it, it also makes them more vulnerable to hackers.
By securing it in cloud storage associated with the user’s Google account, it means that anyone who can gain access to the user’s Google password would then subsequently obtain full access to their authenticator-linked apps.
The user suggested that a potential way around the SMS 2FA issue is to use an old phone that is exclusively used to house your authenticator app.
“I’d also strongly suggest that, if possible, you should have a separate device (perhaps an old phone or old tablet) whose sole purpose in life is to be used for your authentication app of choice. Keep nothing else on it, and use it for nothing else.”
Similarly, cybersecurity developers Mysk took to Twitter to warn of additional complications that come with Google’s cloud storage-based solution to 2FA.
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don’t turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.… pic.twitter.com/a8hhelupZR
— Mysk (@mysk_co) April 26, 2023
This could prove to be a significant concern for users who use Google Authenticator for 2FA to log into their crypto exchange accounts and other finance-related services.
The most common 2FA hack is a type of identity fraud known as “SIM swapping” which is where scammers gain control of a phone number by tricking the telecommunications provider into linking the number to their own SIM card.
A recent example of this can be seen in a lawsuit filed against United States-based cryptocurrency exchange Coinbase, where a customer claimed to have lost “90% of his life savings” after falling victim to such an attack.
Notably, Coinbase itself encourages the use of authenticator apps for 2FA as opposed to SMS, describing SMS 2FA as the “least secure” form of authentication.
I’m guessing his password was compromised because it was used on other sites, one of which got breached. Also, Coinbase encourages Authenticator app for 2FA by labeling it “secure” and SMS as “moderately secure”.
— Dave Ferguson (@_sc0rn) March 7, 2023
Related: OFAC sanctions OTC traders who converted crypto for North Korea’s Lazarus group
On Reddit, users discussed the lawsuit and even proposed that SMS 2FA be banned, although one Reddit user noted it currently stands as the only authentication option available for a number of fintech and cryptocurrency-related services:
“Unfortunately a lot of services I use don’t offer Authenticator 2FA yet. But I definitely think the SMS approach has proven to be unsafe and should be banned.”
Blockchain security firm CertiK has warned of the dangers of using SMS 2FA, with its security expert Jesse Leclere telling Cointelegraph that “SMS 2FA is better than nothing, but it is the most vulnerable form of 2FA currently in use.”
Magazine: 4 out of 10 NFT sales are fake: Learn to spot the signs of wash trading