The threat with Google’s new cloud backup for 2FA authenticators

The threat with Google's new cloud backup for 2FA authenticators

Google has released an update to its popular authenticator app that stores a “one-time code” in cloud storage to help users retain access to two-factor authentication (2FA) if they’ve lost a device with their authenticator.

In an April 24 blog post announcing the update, Google said that the one-time codes will be stored in the user’s Google Account, claiming that users will be “better protected against lockouts” and that it will increase “convenience and security.”

In an April 26 Reddit post on the r/Cryptocurrency forum, Redditor u/pojut wrote that the update helps those who lose devices with their authenticator app, making them more vulnerable to hackers.

By securing it in cloud storage associated with a user’s Google account, it means that anyone who can gain access to a user’s Google password will later gain full access to their authenticator-linked apps.

A user suggested that a possible way around the SMS 2FA issue is to use an old phone that is only used to hold your Authenticator app.

“I would also strongly suggest that, if possible, you should have a separate device (perhaps an old phone or an old tablet) whose sole purpose in life is to use it for the authentication application of your choice. Put nothing else on it, and use it for nothing else.”

Likewise, cybersecurity developers Misc took for Twitter to warn of additional complications that come with Google’s cloud storage-based solution to 2FA.

This could cause significant concern for users who use Google Authenticator for 2FA to log into their crypto exchange accounts and other finance-related services.

Other 2FA security issues

The most common 2FA hack is a form of identity fraud known as “SIM swapping,” where scammers gain control of a phone number by tricking a telecommunications provider into linking the number to their own SIM card.

A recent example of this can be seen in a lawsuit filed against United States-based cryptocurrency exchange Coinbase, where a customer claimed to have lost “90% of his life savings” after falling victim to such an attack.

Notably, Coinbase itself encourages the use of authenticator apps for 2FA as opposed to SMS, describing SMS 2FA as the “least secure” form of authentication.

Related: OFAC banned OTC traders who converted crypto for North Korea’s Lazarus group

On Reddit, users discussed the lawsuit and even proposed that SMS 2FA be banned, although one Reddit user noted that it is currently the only authentication option available for a number of fintech and cryptocurrency-related services:

“Unfortunately many of the services I use do not yet offer authenticator 2FA. But I definitely think the SMS approach has been proven unsafe and should be banned.”

Blockchain security firm CertiK has warned about the dangers of using SMS 2FA, with its security expert Jesse LeClair telling Cointelegraph that “SMS 2FA is better than nothing, but it is the most vulnerable form of 2FA currently in use.”

Periodicals: 4 out of 10 NFT Sales Are Fake: Learn to Spot the Signs of Wash Trading