269

Comment

For personal use, watch out if you use Google Authenticator with sync to the cloud feature. If your Google account is compromised, e.g. you get phished:

  • Your 2FA for other accounts might be compromised as well.

  • If you use the GMail address for other accounts' password recovery, the passwords for those accounts may be reset/compromised too, regardless of how complex the passwords are.

Question

For personal use, because "Google Prompt" on an Android device is automatically the default 2FA for Google account, can you delete this default 2FA method and just enable a FIDO2 key on Google's account?

Summary

Google's Authenticator app, designed for generating Multi-Factor Authentication (MFA) codes, was criticized by a security company called Retool for exacerbating a recent internal network breach. The breach occurred when an employee received a deceptive text message, leading them to share their login credentials, including a Temporary One-Time Password (TOTP), with the attackers. The situation escalated due to Google's Authenticator sync feature introduced in April, which allowed the attackers to compromise multiple company accounts once they gained access to the employee's Google account.

This synchronization feature stored MFA codes in the cloud, making them vulnerable if the Google account was compromised. Retool argued that Google employed unclear settings for disabling this feature, making it challenging for users and administrators to prevent. As a result, the attackers exploited this vulnerability to gain access to various accounts, including VPNs and internal systems, enabling them to take over specific customer accounts in the cryptocurrency industry.

Retool's security shortcomings were also highlighted, as they relied on TOTPs, which can be phished with relative ease, instead of adopting more secure industry-standard MFA solutions like FIDO2. While Google defended its syncing feature, emphasizing its benefits for user convenience, they acknowledged the preference for local storage of OTPs in enterprise environments.

There’s a good argument to be made that Retool used the Google Authenticator issue to deflect attention away from Retool’s culpability in the compromise.

In conclusion, the incident underscores the importance of adopting FIDO2-compliant MFA for robust security, while Google's Authenticator app is seen as a middle-ground option that may be inadequate for enterprises where security is paramount.

you are viewing a single comment's thread
view the rest of the comments
[-] Eezyville@sh.itjust.works 63 points 1 year ago

So you went and put all your trusted passwords, 2FAs, FIDO2, and other secrets with Google? Looks like these tech companies are turning into data dragons. Only a matter of time before some adventurers decide to loot the dragon.

[-] Appoxo@lemmy.dbzer0.com 10 points 1 year ago

I would argue such big companies could be trusted to some extend with storing stuff securely.
You don't hear much of a data breach from Google.

But other other hand you had the Microsoft e-mail incident...

[-] Eezyville@sh.itjust.works 1 points 1 year ago

I personally don't trust them because of the Edward Snowden revelations.

The NSA is not a threat to your cybersecurity. If they want information from you they will put you in a van and beat you with a wrench until you give them the password. If the US Govt has decided you are a threat your problems are bigger than if someone can steal your Steam account.

[-] Appoxo@lemmy.dbzer0.com 3 points 1 year ago

You can trust nothing lol.
The only thing you could trust is a fully air-gapped system you personally update and patch with a manual attached storage (like USB SSD/HDDs) and never ever let it see the light of the internet.

[-] IMongoose@lemmy.world 9 points 1 year ago

I don't think it matters what 2fa the target had here, the attackers had him hook line and sinker. The bigger issue is that the attacker new everything about how the company worked internally, including staff. I would not be surprised if this company was already compromised, either from an external actor or internal.

[-] sturmblast@lemmy.world 4 points 1 year ago

hehe 'Data Dragons'

this post was submitted on 17 Sep 2023
269 points (97.5% liked)

Technology

59532 readers
4259 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS