Recent news of security concerns around a new feature in Google Authenticator may have IT teams wondering if they need to adjust any reliance on the app for authentication within their networks or apps their organizations use.
Launched in 2010, the Google Authenticator mobile app provided a more secure 2FA option to SMS one-time codes. The enhanced security came from how it worked – the app’s codes were generated on the user’s phone and never traveled through insecure networks.
The new feature allows users to sync 2FA codes across devices through the cloud – something users have wanted for a long time. It eliminates the need to reset each code with a lost or stolen device as well as streamlining access to 2FA codes on a new phone.
However, Mysk researchers reported on Twitter that the sync is not encrypted:
“We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. Why is this bad? Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.”
Of course, this seems to contrary to the initial security offered by the app when it launched – that it provided an alternative to codes traveling through insecure networks.
SC Magazine summed up the concerns around the new secret sync feature for Google Authenticator:
“Researchers said the lack of encryption opens users up to data leakage and a possible Google account takeover. A successful attack gives a malicious actor access to the two-factor-authentication’s QR code used to generate a one-time code, allowing the bad actor to generate the same one-time code.”
The app is a very popular 2FA method, with over 100 million downloads on the Google Play store. However, this isn’t the first time security issues have been reported for Google Authenticator.
In 2020, an Android malware strain was reported as extracting and stealing one-time passcodes generated through Google Authenticator.
The app has also been previously flagged for lacking a passcode or biometric lock on the app itself, increasing the danger a lost device poses to an organization. This danger is of course increased for organizations who make use of BYOD where IT teams cannot wipe end user devices.
What Concerned IT Teams Can Do About Google Authenticator
The reality of this new feature from Google Authenticator is that the end user would have to turn this capability on so the immediate risk posed to an organization whose users are authenticating with the app is low.
However, concerned IT teams can still take action:
- Advise end users of this new feature and recommend they do not turn it on until Google offers end to end encryption for it.
- Make use of a flexible MFA platform where you can adjust how much weight a single factor of concern has in the user authentication process (like the platform that powers Specops uReset for Active Directory password resets – customers can see how to adjust their policies for situations like these in this post).
- Don’t neglect the password. Google Authenticator is often the second factor. The risk any security concerns around the app pose only arise if the attacker gets by the first wall of defense – the password. When it comes to protecting your organization’s AD passwords against this risk, make use of solutions like Specops Password Policy which can improve password security and protect against the use of over 4 billion unique compromised passwords.
The other thing to remember is that no single MFA factor is bulletproof. Each has their own potential vulnerabilities and security risks. The pragmatic IT team knows this and makes choices that balance these risks against end user requirements. Taking this approach with protecting MFA as well as passwords themselves helps mitigate against any single issue.
Questions about how to handle the risk of any one factor in your environment? Our team would love to help – contact us.
(Last updated on May 5, 2023)
Back to Blog
