Raising concerns over Google Authenticator’s new features

Padlock on a keyboard signifying security
(Image credit: Passwork)

You may have seen the recent news about a new feature in Google Authenticator (GA) which may have IT teams wondering if they need to adjust any reliance on the app for authentication and security within their networks or apps. It has certainly raised questions on the risks posed to both users and enterprises and, what should be done to effectively protect them using passwords and two-factor authentication (2FA).

Why is Google Authenticator used?

Google Authenticator was first launched back in 2010 as a mobile application that was a more secure 2FA alternative to SMS one-time codes. The differentiator was its enhanced security capabilities, as the app created codes on the user’s device, while not needing to travel via insecure networks.

Fast forward to the present day, the new feature on Google Authenticator now enables users to synchronize 2FA codes on multiple devices through the cloud. The flexibility this feature provides has been requested by many users for a substantial amount of time, mainly because it removes the need to reset each code when a device is lost or stolen, while also streamlining access to 2FA codes on a new device.

Darren James

Darren James is Senior Product Manager at Specops Software.

The security concerns raised

There have been serious concerns about this new update from within the cybersecurity industry, with some researchers vocal on social media after it was revealed the syncing process is not encrypted:

“We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. Why is this bad? Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.”

This goes against a key objective of the app. When it was first launched, the app was designed to provide an option so that codes did not travel via insecure networks.

Furthermore, the lack of encryption will leave users vulnerable to the possibility of data leakage and Google account takeover. Should a threat actor gain access to the 2FA QR code, which is used to create the one-time codes, the cybercriminal will then have visibility to the same codes.

Considering Google Authenticator is a popular 2FA option for users – it has been downloaded over 100 million times – these are not the first security issues reported. In 2020, Android malware was found stealing one-time passwords from Google Authenticator. Moreover, the lack of additional security layers has been noted, specifically the lack of passcode or biometric security on the app which only raises the risk to organizations if a device is stolen or lost and infiltrated.

Organisations operating post-pandemic have also seen an increased reliance on BYOD (Bring Your Own Device) in the workspace. This heightens the danger posed to businesses because IT departments don’t have control over the user’s device and can’t wipe them.

What should IT departments do?

Firstly, IT personnel that are concerned about Google Authenticator’s new feature should understand the device holder has to enable it. Until this is done, the risk posed to the business is relatively low.

Second, explain to users that have downloaded GA the risk that is posed by the update and to not activate it until end-to-end encryption is supplied by Google on the app.

To add further security, ensure a flexible multi-factor authentication (MFA) platform is implemented. This will give you control and the ability to modify how much weight a single factor of concern has when managing user authentication. This layered approach will ensure MFA is running even when identity service disruptions occur, whether that be if a device is lost or stolen, the identity service is down or compromised.

The role of the password is pivotal in this story and should not be neglected. It is the first wall of defense with Google Authenticator being the second defence. Should password become compromised, only then will any security issues arise concerning the app. To effectively protect your organizations Active Directory passwords, deploy a solution that will manage and enforce a secure password policy with an emphasis on blocking compromised passwords. This will ensure better password security practises are followed and removes the likelihood of a user reusing passwords that have been breached.

Understand MFA is not 100% secure– no element of security is, and each will have potential weaknesses that can be exploited by cybercriminals. Proactive IT teams should know this and make decisions that will benefit both the organization and the user without putting either in jeopardy. Remember, having a layered approach to securing MFA and passwords will greatly reduce the risk posed to the workforce and the entire organization.

We've featured the best business VPN.

Darren James is a Product Specialist and cyber security expert at Specops Software.