Google has released an update to its popular authenticator app that stores a “one-time code” in the cloud.allowing users who have lost the device with their authenticator on it to maintain access to their two-factor authentication (2FA).
In an April 24 blog post announcing the update, Google said the one-time codes would be stored in the user’s Google account, claiming that users would be “better protected against lockouts” and that it would increase “convenience and security.”.
In an April 26 Reddit post on the r/Cryptocurrency forum, redditor u/pojut wrote that, while the update helps losers with its authenticator app, it also makes them more vulnerable to hackers.
By saving it to the cloud storage associated with the user’s Google account, it means that anyone who can access the user’s Google password would later gain full access to their apps linked to the authenticator.
The user suggested that a possible way to avoid the problem of two-factor authentication via SMS is to use an old phone that is used exclusively to host the authenticator application.
“I also strongly suggest that, if possible, have a standalone device (perhaps an older phone or tablet) whose sole purpose is to use the authenticator app of your choice. Don’t keep anything else on it and don’t use it for anything else.”
In the same way, Myskcybersecurity developers, used Twitter to warn of the additional complications that come with Google’s 2FA solution based on cloud storage.
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don’t turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.… pic.twitter.com/a8hhelupZR
— Mysk (@mysk_co) April 26, 2023
Google just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets between devices.
TL;DR: Don’t activate it.
The new update allows users to sign in with their Google account and sync 2FA secrets across their iOS and Android devices…
This could turn out to be a Major concern for users using Google Authenticator as 2FA to log into your cryptocurrency exchange accounts and other finance-related services.
Other security issues of 2FA authentication
The most common 2FA hack is a type of identity fraud known as “SIM swapping.” or SIM swapping, where scammers gain control of a phone number by tricking the telecommunications provider into linking the number to their own SIM card.
A recent example of this type of fraud is the lawsuit filed against Coinbase, the US-based cryptocurrency exchange, in which a client claimed to have lost “90% of his life savings” after being the victim of a scam. attack of this type.
It should be noted that his own Coinbase encourages the use of authenticator apps for 2FA over SMS, describing 2FA SMS as the “least secure” form of authentication.
I’m guessing his password was compromised because it was used on other sites, one of which got breached. Also, Coinbase encourages Authenticator app for 2FA by labeling it “secure” and SMS as “moderately secure”.
— Dave Ferguson (@_sc0rn) March 7, 2023
I assume your password was compromised because it was used on other sites, one of which was breached. Additionally, Coinbase encourages the Authenticator app for 2FA by labeling it “secure” and SMS as “moderately secure.”
On Reddit, users discussed the lawsuit and even proposed that the use of SMS 2FA be banned.although one Reddit user noted that it currently remains the only authentication option available for a number of fintech and cryptocurrency-related services:
“Unfortunately, many of the services I use do not yet offer Authenticator 2FA. But I definitely think the SMS approach has proven to be insecure and should be banned.“.
Blockchain security firm CertiK has warned of the dangers of using SMS two-step verification, with its security expert Jesse Leclere telling Cointelegraph that “SMS 2FA is better than nothing, but it is the most vulnerable form of 2FA currently in use“.
Magazine: 4 out of 10 NFT sales are fake: Learn to spot the signs of money laundering
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information presented here should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the entire amount invested may be lost. The services or products offered are not directed or accessible to investors in Spain.