This Google Authenticator The 2FA app has featured heavily in cybersecurity news stories recently, with Google adding a feature to let you back up your 2FA data to the cloud and then restore it to other devices.
To illustrate, a 2FA (Two-factor authentication) app is one of those programs you run on your mobile phone or tablet to generate one-time login codes that help protect your online accounts with more than just passwords.
The problem with traditional passwords is that there are countless ways a crook can beg, steal, or borrow.
there is Shoulder-surfing, where there’s a badass peering over your shoulder in your midst as you type it; there is Induced inference, where you use a phrase that a scammer can predict based on your personal interests; there is Fishing, where you are tempted to hand over your password to an impostor; And there is KeyloggingWhere malware already planted on your computer keeps track of what you type and secretly starts recording whenever you visit an interesting looking website.
And because traditional passwords usually stay the same from login to login, today crooks who discover a password can often use it at their leisure, often for weeks, perhaps months, and sometimes even years.
So 2FA apps, with their one-time login codes, augment your regular password with an extra secret, usually a six-digit number, that changes every time.
Your phone as another factor
The six-digit code typically generated by 2FA apps is calculated on your phone, not your laptop; They are based on a “seed” or “initialization key” stored in your phone; And it’s protected by the lock code on your phone, not any password you regularly type on your laptop.
That way, crooks who beg, borrow, or steal your regular password can’t go straight into your account.
Those attackers also need access to your phone, and they need to be able to unlock your phone to run apps and get a one-time code. (Codes are usually based on the date and time to the nearest half minute, so they change every 30 seconds.)
Even better, modern phones include tamper-proof secure storage chips (Apple calls their phones A secure enclave; Known as Google’s Titan) that keep their secrets even if you manage to take the chip apart and try to extract the data offline through miniature electrical probes or through chemical etching combined with electron microscopy.
Of course, this “solution” brings with it a problem of its own, namely: how do you back up those all-important 2FA seeds if you lose your phone or buy a new one and want to switch?
A dangerous way to backup seeds
Most online services require you to set up a 2FA code sequence for a new account by entering a 20-byte string of random data, meaning 40 hexadecimal (base-16) characters, one for each half-byte, or in base-32 encoding. By carefully entering 32 characters, which characters are used A To Z and six digits 234567 (Zero and one are unusable because they look like O-for-Oscar and I-for-India).
Except you usually get to avoid the hassle of manually typing in your initial secret by scanning in a special type of URL via a QR code instead.
This special 2FA URL has the account name and initial seed encoded in it, like this (we’ve limited the seed here to 10 bytes, or 16 base-32 characters, to keep the URL short):
You can probably guess where this is going.
When you fire up your mobile phone’s camera to scan in these types of 2FA codes, it’s tempting to take a photo of the codes first, to use as a backup…
…but we urge you not to do that, because anyone who grabs those pictures later (for example from your cloud account, or you’ve forwarded them by mistake) will know your secret seed, and trivially generate rights. will be able to. A sequence of six-digit codes.
So, how to reliably backup your 2FA data Without keeping plain text copies Of those pesky multi-byte secrets?
Google Authenticator on the case
Well, Google Authenticator recently, if belatedly, decided to start offering a 2FA “Account Sync” service so you can back up your 2FA code sequence to the cloud and restore it later on a new device, for example if you lose or Change your phone.
As one media outlet described it, “Google Authenticator adds long-awaited important feature after 13 years.”
But how secure is this account sync data transfer?
Is your Secret Seed data encrypted in transit on Google’s cloud?
As you can imagine, the cloud upload part of transferring your 2FA secrets is actually encrypted, since Google, like every security-conscious company out there, has been using HTTPS-and-only-HTTPS for all its web-based traffic for several years now. uses. .
But can your 2FA accounts be encrypted with a passphrase that is uniquely yours? Before they leave your device?
That way, they cannot be intercepted (legally or not), subpoenaed, leaked or stolen while they are in cloud storage.
After all, another way of saying “in the cloud” is simply “saved on one’s computer.”
guess what?
Our indie-coder and anti-cybersecurity friends at @mysk_coWho we’ve written about many times before on Naked Security, decided to find out.
what They reported Doesn’t sound terribly encouraging.
Google just updated its 2FA authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don’t turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.… pic.twitter.com/a8hhelupZR
— Mysk 🇨🇦🇩🇪 (@mysk_co) April 26, 2023
As you can see above, @mysk_co claims the following:
- Your 2FA account details, including the seed, were unencrypted inside their HTTPS network packets. In other words, once uploaded the transport-level encryption is stripped, your seeds are available to Google, and thus, by implication, to anyone with a search warrant for your data.
- There is no passphrase option to encrypt your upload before it leaves your device. As the @mysc_co team points out, this feature is available when syncing information from Google Chrome, so it seems odd that the 2FA sync process doesn’t provide the same user experience.
Here’s the spoofed URL they generated to set up a new 2FA account in the Google Authenticator app:
otpauth://totp/Twitter@Apple?secret=6QYW4P6KWAFGCUWM&issuer=Amazon
And here’s a packet grab of network traffic that Google Authenticator synced to the cloud, stripped of Transport Level Security (TLS) encryption:
Note that the highlighted hexadecimal characters match the raw 10 bytes of data corresponding to the base-32 “secret” in the URL above:
$ luax
Lua 5.4.5 Copyright (C) 1994-2023 Lua.org, PUC-Rio
__
___( o)>
\ <_. )
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Added Duck's favourite modules in package.preload{}
> b32seed = '6QYW4P6KWAFGCUWM'
> rawseed = base.unb32(b32seed)
> rawseed:len()
10
> base.b16(rawseed)
F4316E3FCAB00A6152CC
what to do
We agree with @mysk_co’s suggestion, which is, “We recommend using the app without the new sync feature for now.”
We’re sure that Google will soon add a passphrase feature to the 2FA sync feature, although this feature already exists in the Chrome browser, as explained in Chrome’s own help pages:
Keep your information private
With Passphrase, you can use Google’s cloud to store and sync your Chrome data without letting Google read it. […] Passphrase is optional. Your synced data is always protected by encryption while in transit.
If you have already synced your seed, Don’t panic (they weren’t shared with Google in a way that would make it easy for someone else to figure them out), but you’ll need to reset the 2FA sequence for any accounts you’ve set up now.
Finally, you may have 2FA setup for online services like bank accounts where the terms and conditions require you to keep all login credentials, including passwords and seeds, to yourself and never share them with anyone, not even Google.
If you are in the habit of taking pictures of QR codes for your 2FA seeds anyway, Without thinking too much about it, we recommend that you don’t.
As we like to say at Naked Security: If in doubt / don’t give it out.
The data you hold cannot be leaked, or stolen, or further shared with third parties of any kind, whether intentionally or by mistake.
Update. Google has responded on Twitter A report from @mysk_co admits it deliberately released the 2FA account sync feature without so-called end-to-end encryption (E2EE), but claims the company “Plans to offer E2EE downline for Google Authenticator.” The company also stated that “For those who prefer to manage their backup strategy themselves, the option to use the app offline will be an option.” [2023-04-26T18:37Z]
#Google #Leaks #2FA #Secrets #Researchers #Advise #Account #Sync #Feature
