Google’s Authenticator Update Raises Security Concerns

Google has published an update to its Authenticator app that keeps a “one-time code” in cloud storage. This update is part of the company’s endeavor to assist customers in maintaining access to their two-factor authentication (2FA) systems. Users who have misplaced their device that contained their authenticator may still access their two-factor authentication using this code. The storage of one-time codes in a user’s Google Account, as recommended by Google, is said to improve both convenience and security and shield users from being locked out of their accounts. However, this approach is causing other people to worry about their safety.

In a post made to the r/Cryptocurrency forum, the user u/pojut pointed out that keeping one-time codes in cloud storage connected with the user’s Google account might render users more susceptible to attacks from cybercriminals. If a hacker were to get the user’s Google password, they would be able to gain complete access to all of the user’s authenticator-linked applications. An outdated phone that is utilized just for the purpose of housing the authenticator app was recommended by user u/pojut as a solution to this problem.

Developers of cybersecurity software called Mysk have also taken to Twitter to provide a warning about the extra issues that come with using Google’s cloud storage-based approach to two-factor authentication (2FA). Users that use Google Authenticator as a second factor of authentication for logging into their cryptocurrency exchange accounts and other services linked to finance may find this to be a substantial cause for worry. The two-factor authentication (2FA) system is vulnerable to a variety of attacks, the most prevalent of which is known as “SIM swapping.” This kind of identity theft allows con artists to take control of a phone number by deceiving a telecoms operator into associating the number with their own SIM card.

A recent example of this may be seen in a lawsuit that was recently filed against the cryptocurrency exchange Coinbase, which is situated in the United States. In the case, a client claimed that he had lost “90% of his life savings” as a result of being a victim of such an assault. Notably, Coinbase itself recommends using authenticator applications for two-factor authentication rather than sending a verification code by text message. The company calls SMS two-factor authentication the “least secure” type of authentication.

An upgrade to Google Authenticator may benefit users who have misplaced their authenticator app, but it has caused some users to be concerned about the service’s level of security. The use of cloud storage to store one-time codes leaves users open to attack by cybercriminals, who may then be able to discover the user’s Google password and, as a result, acquire complete access to all of the authenticator-linked applications used by the user. Users who use Google Authenticator for two-factor authentication should take precautions to safeguard themselves, such as installing their authentication app on a different device and avoiding two-factor authentication through SMS.

Source: https://blockchain.news/news/googles-authenticator-update-raises-security-concerns