



Google has released an update to its popular authenticator app that stores one-time codes in cloud storage. This allows users who lose their authenticator-equipped device to maintain access to two-factor authentication (2FA).

In a blog post announcing the update on April 24, Google said the one-time codes would be stored in users’ Google Accounts, claiming that they would better protect users from being locked out and improve convenience and security. .

In a Reddit post on April 26 to the r/Cryptocurrency forum, u/pojut on Reddit said that while the update helps people who lose their devices with authenticator apps, it also makes them more vulnerable to hackers. I am writing.

By protecting the password in cloud storage associated with the user’s Google account, anyone with access to the user’s Google password will subsequently have full access to the app linked to the authenticator.

A user suggested using an old phone that is only used to store an authenticator app as a way to avoid problems with SMS 2FA.

Also, if possible, I highly recommend having another device (perhaps an old phone or an old tablet) that your only purpose in life is to use for your authenticator app of choice. Do not put anything else and do not use anything else.

Similarly, cybersecurity developer Mysk took to Twitter to warn about the additional complexities involved with Google’s cloud storage-based solution to 2FA.

Google has updated its 2FA Authenticator app with a long-awaited feature: the ability to sync secrets across devices.

TL;DR: Don’t turn it on.

A new update allows users to sign in with their Google account and sync 2FA secrets across iOS and Android devices. pic.twitter.com/a8hhelupZR

Musk (@mysk_co) April 26, 2023

This could prove to be a significant concern for users who use Google Authenticator for 2FA to log into their crypto exchange accounts and other financial related services.

Other 2FA security issues

The most common 2FA hack is a form of identity fraud known as SIM swapping, where scammers control phone numbers by tricking telecom providers into linking them to their SIM cards.

A recent example of this can be seen in the lawsuit filed against US-based cryptocurrency exchange Coinbase. The lawsuit claimed that the customer lost 90% of his life savings after falling victim to such an attack.

Notably, Coinbase itself recommends using an authenticator app for 2FA instead of SMS, stating that SMS 2FA is the least secure form of authentication.

I believe his password was compromised because it was used on another site. one of which he was compromised. Coinbase also labels his Authenticator app for his 2FA as “secure” and recommends labeling SMS as “moderately secure.”

Dave Ferguson (@_sc0rn) March 7, 2023

RELATED: OFAC Sanctions OTC Traders Who Converted Cryptos For North Korea’s Lazarus Group

On Reddit, users discussed the lawsuit and even proposed banning SMS 2FA, although one Reddit user said it is currently the only authentication option available for many fintech and cryptocurrency-related services. I’m here.

Unfortunately, many of the services I use do not yet offer Authenticator 2FA. However, I believe the SMS approach has proven to be insecure and should be banned.

Blockchain security firm CertiK has warned of the dangers of using SMS 2FA, and its security expert Jesse Leclere told Cointelegraph that SMS 2FA is better than nothing, but its current use It is said to be the weakest form of 2FA currently available.

Magazine: 4 out of 10 NFT sales are fake: Learn how to spot the signs of a wash trade

