Google has released an update to its popular authenticator app that stores a “one-time code” in cloud storage, allowing users who have lost a device along with their authenticator to retain access to two-factor authentication (2FA).
In blog April 24 mail Announcing the update, Google said that the one-time use tokens will be stored in the user’s Google Account, claiming that users will be “better protected from being locked out” and it will increase “convenience and security.”
On April 26 Reddit mail To the r/Cryptocurrency forum, Redditor u/pojut wrote that while the update helps those who lose the device by having their authenticator applied to it, it also makes them more vulnerable to hackers.
By securing it in the cloud storage associated with the user’s Google account, it means that anyone who gains access to the user’s Google password will then have full access to their apps associated with the authenticator.
The user suggested that one possible way around the SMS 2FA problem is to use an old phone that is exclusively used to house your authentication application.
I would also strongly suggest that, if possible, you should have a separate device (maybe an old phone or old tablet) whose sole purpose in life is to be used for your authentication app of choice. Don’t keep anything else on it, use it for anything last “.
Likewise, cyber security developers caught took to Twitter To warn about the additional complexities that come with Google’s cloud-based solution to 2FA.
This can be a major concern for users who use Google Authenticator for 2FA to log into crypto exchange accounts and other finance-related services.
Other 2FA security issues
The most common 2FA hack is a type of identity fraud known as a “SIM swap” where scammers gain control of a phone number by tricking the telecom provider into associating the number with their SIM card.
A recent example of this can be seen in a lawsuit filed against US-based cryptocurrency exchange Coinbase, where a customer claimed he lost “90% of his savings” after falling victim to such an attack.
Notably, Coinbase itself encourages the use of authenticator apps for 2FA instead of SMS, a description SMS 2FA is the “least secure” form of authentication.
Related: The Office of Foreign Assets Control is sanctioning OTC traders who transferred cryptocurrencies to Lazarus Group in North Korea
On Reddit, users discussed the lawsuit and suggested banning SMS 2FA, though one Reddit user noted that it is currently the only authentication option available for a number of fintech and crypto-related services:
“Unfortunately, not many of the services I use offer Authenticator 2FA yet. But I definitely think the SMS approach has proven insecure and should be banned.”
Blockchain security firm CertiK has warned about the dangers of using SMS 2FA, with security expert Jesse Leclere telling Cointelegraph that “SMS 2FA is better than nothing, but it is the most widely used form of 2FA currently.”
magazine: 4 out of 10 Fake NFT Sales: Learn to spot signs of laundering trading
“Unapologetic communicator. Wannabe web lover. Friendly travel scholar. Problem solver. Amateur social mediaholic.”