The danger with Google’s new cloud backup for 2FA authenticator

Google released an update for its fashionable authenticator app that stores a “one-time code” successful unreality storage, allowing users who person mislaid the instrumentality with their authenticator connected it to clasp entree to their 2FA. 

In an April 24 blog post announcing the update, Google said the one-time codes volition beryllium stored successful a user’s Google Account and claimed users would beryllium “better protected from lockout” and it would summation “convenience and security.”

In an April 26 Reddit post to the r/Cryptocurrency forum, Redditor u/pojut wrote that portion the update does assistance those who suffer the instrumentality with their authenticator app connected it, it makes them much susceptible to hackers.

By securing it successful unreality retention associated with the user’s Google account, it means that anyone who tin summation entree to the user's Google password would past subsequently get afloat entree to their authenticator-linked apps.

The idiosyncratic suggested that a imaginable mode astir the SMS 2FA contented is to usage an aged telephone that is exclusively utilized to location your authenticator app.

‘I'd besides powerfully suggest that, if possible, you should person a abstracted instrumentality (perhaps an aged telephone oregon aged tablet) whose sole intent successful beingness is to beryllium utilized for your authentication app of choice. Keep thing other connected it, and usage it for thing else.”

Similarly, cybersecurity developers Mysk took to Twitter to pass of further complications that travel with Google’s unreality storage-based solution to 2FA.

This could beryllium to beryllium a important interest for users who usage Google authenticator for 2FA to log into their crypto speech accounts and different finance-related services.

The astir communal 2FA hack is simply a benignant of individuality fraud known arsenic “SIM swapping” which is wherever scammers summation power of a telephone fig by tricking the telecommunications supplier into linking the fig to their ain SIM card.

A caller illustration of this tin beryllium seen successful a suit filed against United States-based cryptocurrency speech Coinbase, wherever a lawsuit claimed to person mislaid “90% of his beingness savings” aft falling unfortunate to specified an attack.

Notably, Coinbase itself encourages the usage of authenticator apps for 2FA arsenic opposed to SMS and describes SMS 2FA arsenic the “least secure” signifier of authentication.

I'm guessing his password was compromised due to the fact that it was utilized connected different sites, 1 of which got breached. Also, Coinbase encourages Authenticator app for 2FA by labeling it "secure" and SMS arsenic "moderately secure".

Related: OFAC sanctions OTC traders who converted crypto for North Korea’s Lazarus group

On Reddit, users discussed the lawsuit and adjacent projected that SMS 2FA beryllium banned. As 1 Reddit idiosyncratic noted it presently stands arsenic the lone authentication enactment disposable for a fig of fintech and cryptocurrency-related services:

“Unfortunately a batch of services I usage don’t connection Authenticator 2FA yet. But I decidedly deliberation the SMS attack has proven to beryllium unsafe and should beryllium banned.”

Blockchain information steadfast CertiK has warned of the dangers of utilizing SMS 2FA, with its information adept Jesse Leclere telling Cointelegraph that “SMS 2FA is amended than nothing, but it is the astir susceptible signifier of 2FA presently successful use.”

Magazine: 4 retired of 10 NFT income are fake: Learn to spot the signs of lavation trading