



The Google Authenticator 2FA app has been heavily featured in cybersecurity news articles lately, with Google adding the ability to back up your 2FA data to the cloud and then restore it to other devices.

To explain, a 2FA (two-factor authentication) app is a program that runs on your phone or tablet to generate a one-time login code that helps protect your online accounts with more than just a password.

The problem with traditional passwords is that there are many ways fraudsters can ask for, steal, or borrow passwords.

There is shoulder surfing. This has the middle Rogue peeking over her shoulder while typing. There are inspired guesses with phrases that scammers can predict based on your personal interests. There is phishing that tricks you into giving your password to a scammer. There is also keylogging, where malware already embedded on your computer tracks what you type and secretly starts recording every time you visit her website of interest.

And because traditional passwords typically stay the same from login to login, fraudsters who find passwords today often spend weeks, sometimes months, and sometimes years You can use the password repeatedly at your leisure.

So 2FA apps with one-time login codes augment your regular password with an additional secret (usually a 6-digit number) that changes each time.

Phone as a second factor

The 6-digit codes commonly generated by 2FA apps are calculated correctly on smartphones, not laptops. It is based on a “seed” or “starting key” stored on your phone. It’s protected by a lock code on your phone, not a password you regularly enter on your laptop.

That way, scammers who ask for, borrow, or steal your regular passwords won’t be able to dive right into your account.

These attackers also need access to your phone and need to be able to unlock your phone in order to run the app and retrieve the one-time code. (The code is usually based on the nearest half hour date and time, so it changes every 30 seconds.)

Even better, the latest mobile phones include a tamper-proof secure storage chip (Apple calls it a Secure Enclave; Google is known as Titan), even if the chip is removed and a small electric Confidentiality is preserved even if you try to mine the data offline through probes. , or by chemical etching combined with electron microscopy.

Of course, this “solution” has its own problems. I mean, how do you back up his all-important 2FA seed in case you lose your phone or buy a new one and want to switch to it?

A Dangerous Way to Back Up Seeds

Most online services require you to enter a 20-byte random data string to set the 2FA code sequence for your new account. By carefully typing the 32 characters in base-32 encoding using the letters A to Z and the 6 digits 234567 (the 0s and 1s are not used because they look like Oscar’s O and India’s I ).

However, you can usually avoid manually tapping the starting secret by scanning a special kind of URL via a QR code instead.

These special 2FA URLs have the Account Name and Starting Seed encoded like this (we limit the seed to 10 bytes or 16 base-32 characters here to keep the URLs short):

You can probably guess where this is going.

When you fire up your phone’s camera to scan this kind of 2FA code, you’ll want to take a picture of the code first to use as a backup…

…but I would advise against doing that. Because anyone who later gets hold of those photos (e.g. from a cloud account or because you accidentally transferred them) will know your secret seed and can easily generate entitlements. A sequence of 6-digit codes.

So how do you reliably back up your 2FA data without keeping plaintext copies of those pesky multi-byte secrets?

Google Authenticator for Cases

Google Authenticator recently decided to launch a belated 2FA “Account Sync” service. This allows you to back up your 2FA code sequences to the cloud and restore them later on a new device, for example if lost or replaced. your phone.

As one news outlet explained, “Google Authenticator adds long-awaited and important functionality after 13 years.”

But how secure is this account sync data transfer?

Is secret seed data encrypted in transit to Google’s cloud?

As you can imagine, the cloud upload part of transferring the 2FA secret is actually encrypted. This is because Google, like all security-conscious companies, has been using HTTPS and HTTPS-only for all web-based traffic for several years. .

But can you encrypt your 2FA account with your own passphrase before leaving your device?

That way, it can’t be intercepted, subpoenaed, leaked, or stolen (legally or otherwise) while it’s stored in cloud storage.

After all, another way to say “in the cloud” is simply “stored on someone else’s computer.”

guess what?

Our indie coder and friend who discusses cybersecurity at @mysk_co has written several articles on Naked Security before and decided to check it out.

What they reported is not very encouraging.

Google has updated its 2FA Authenticator app with a long-awaited feature: the ability to sync secrets across devices.

TL;DR: Don’t turn it on.

A new update allows users to sign in with their Google account and sync 2FA secrets across iOS and Android devices. pic.twitter.com/a8hhelupZR

— Musk (@mysk_co) April 26, 2023

As noted above, @mysk_co claims that:

2FA account details, including seeds, were not encrypted within HTTPS network packets. This means that the seed will be available to Google once the transport-level encryption is removed after the upload arrives. So, implicitly, it will be available to anyone with a search warrant for the data. There is no passphrase option to encrypt uploads before they leave the device. As the @mysc_co team points out, this feature is available when syncing information from Google Chrome, so it seems strange that the 2FA sync process doesn’t provide a similar user experience.

Below is a constructed URL generated to set up a new 2FA account with the Google Authenticator app.

otpauth://totp/[email protected]?secret=6QYW4P6KWAFGCUWM&issuer=Amazon

Here’s a packet grab of the network traffic Google Authenticator synced with the cloud. Transport Level Security (TLS) encryption has been removed.

Note that the highlighted hex characters match the raw 10 bytes of data corresponding to the base-32 “secret” in the URL above.

$ luax Lua 5.4.5 Copyright (C) 1994-2023 Lua.org, PUC-Rio __ ___(o)> \ <_. ) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Added Duck's favourite modules in package.preload{} > b32seed = ‘6QYW4P6KWAFGCUWM’ > rawseed = base.unb32(b32seed) > rawseed:len() 10 > base.b16(rawseed) F4316E3FCAB00A6152CC What should I do?

I agree with @mysk_co’s suggestion. “For now, we recommend using the app without the new sync feature.”

Given that this feature already exists in the Chrome browser, as explained on Chrome’s own help page, I’m sure Google will add a passphrase feature to the 2FA sync feature soon.

keep information private

A passphrase allows you to use Google’s cloud to store and sync your Chrome data without Google reading it. […] A passphrase is optional. Synchronized data is always protected by encryption while in transit.

If you’ve already synced your seeds, don’t panic (seeds aren’t shared with Google in a way that someone else can easily snoop on them). Now decide you probably should have defended yourself.

After all, you may have set up 2FA for online services like your bank account. Our terms of service require that you keep all your login credentials, including passwords and seeds, to yourself and not share them with anyone, not even Google.

Anyway, if you’re in the habit of taking a picture of your 2FA seed’s QR code without giving it much thought, I’d advise against doing so.

As we like to say at Naked Security:

The data you store on yourself may not be leaked, stolen, subpoenaed, or shared with third parties of any kind, whether intentional or accidental.

update. Google responded to @mysk_co’s report on Twitter, admitting that he intentionally released the 2FA account sync feature without using so-called end-to-end encryption (E2EE), but the company said “Google We have plans to provide E2EE for Authenticator.” line. “The option to use the app offline remains an alternative for those who prefer to manage their backup strategy themselves,” the company also said. [2023-04-26T18:37Z]

