What Concerned IT Teams Can Do About Google Authenticator This danger is of course increased for organizations who make use of BYOD where IT teams cannot wipe end user devices. The app has also been previously flagged for lacking a passcode or biometric lock on the app itself, increasing the danger a lost device poses to an organization. In 2020, an Android malware strain was reported as extracting and stealing one-time passcodes generated through Google Authenticator. However, this isn’t the first time security issues have been reported for Google Authenticator. The app is a very popular 2FA method, with over 100 million downloads on the Google Play store. A successful attack gives a malicious actor access to the two-factor-authentication’s QR code used to generate a one-time code, allowing the bad actor to generate the same one-time code.” “Researchers said the lack of encryption opens users up to data leakage and a possible Google account takeover. SC Magazine summed up the concerns around the new secret sync feature for Google Authenticator: Of course, this seems to contrary to the initial security offered by the app when it launched – that it provided an alternative to codes traveling through insecure networks. So, if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.” If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. Why is this bad? Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. “We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. However, Mysk researchers reported on Twitter that the sync is not encrypted: It eliminates the need to reset each code with a lost or stolen device as well as streamlining access to 2FA codes on a new phone. The new feature allows users to sync 2FA codes across devices through the cloud – something users have wanted for a long time. The enhanced security came from how it worked – the app’s codes were generated on the user’s phone and never traveled through insecure networks. Launched in 2010, the Google Authenticator mobile app provided a more secure 2FA option to SMS one-time codes. It is available for Android smartphones and Apple iPhones.Recent news of security concerns around a new feature in Google Authenticator may have IT teams wondering if they need to adjust any reliance on the app for authentication within their networks or apps their organizations use. The app works even if your phone is offline. Once you have linked your Google account to your smartphone, you can use it to retrieve a six-digit code that you have to enter when logging in to Google (in addition to your chosen password). The Google Authenticator app works in a similar manner. In many cases two-factor authentication involves receiving a code sent via SMS, which is entered into your online account to prove your identity. This often takes the form of a cell phone. you no longer log in to your email service or other online accounts using only a password, but require a secondary security factor to log in. So-called two-factor authentication is now standard - i.e. Over recent years, email and Internet service providers have worked on ways to improve the security of user accounts and their data. Google Authenticator is an app provided by Google that lets you protect your Google account from identity theft or other forms of misuse.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |