The danger with Google’s new cloud backup for 2FA authenticator
Google released an update for its popular authenticator app that stores a “one-time code” in cloud storage, allowing users who have lost the device with their authenticator on it to retain access to their two-factor authentication (2FA).
In an April 24 blog post announcing the update, Google said the one-time codes will be stored in a user’s Google Account, claiming that users would be “better protected from lockout” and it would increase “convenience and security.”
In an April 26 Reddit post to the r/Cryptocurrency forum, Redditor u/pojut wrote that while the update does assist those who lose the device with their authenticator app on it, it also makes them more vulnerable to hackers.
By securing it in cloud storage associated with the user’s Google account, it means that anyone who can gain access to the user’s Google password would then subsequently obtain full access to their authenticator-linked apps.
The user suggested that a potential way around the SMS 2FA issue is to use an old phone that is exclusively used to house your authenticator app.
“I’d also strongly suggest that, if possible, you should have a separate device (perhaps an old phone or old tablet) whose sole purpose in life is to be used for your authentication app of choice. Keep nothing else on it, and use it for nothing else.”
Similarly, cybersecurity developers Mysk took to Twitter to warn of additional complications that come with Google’s cloud storage-based solution to 2FA.
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.TL;DR: Don't turn it on.The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.…
Read more on cointelegraph.com
