TLDR (made by Kagi)
A security company called Retool disclosed that a recent internal network breach was exacerbated by a feature in Google Authenticator. An employee at Retool was tricked into providing their password and one-time password from Google Authenticator. This allowed the attackers to add their own device to the employee’s Okta account, gaining access to multi-factor authentication codes. Interestingly, Google Authenticator recently added a synchronization feature that syncs MFA codes to the cloud, which is highly insecure as it means compromised Google accounts result in compromised MFA codes as well. In total, the breach impacted 27 customer accounts in the cryptocurrency industry after the attackers were able to produce their own Okta MFA codes from that point onward. Retool criticized this Google Authenticator sync feature for magnifying the severity of the breach.
This article was shared on Arstechnica which is very interesting. Via a phishing attach and next some social engineering by pretending to be IT, an attacker gained access to a person their Google authenticator codes and thus the user company account. This was due to a feature in Google authenticator that syncs the codes and adding a new device is really easy.
While this is ofcourse bad, I also understand Google their standpoint. For normal, non technical people, this is just a convincient way of backing up the codes. I personally use Aegis. When I hit export (password protected export), that file is added to a folder on my phone which syncs to my laptop via Synthing where I back it up. Both devices are also encrypted. I can understand that this is to much for some people.
I am not sure if Microsoft Authenticator has a similar flaw which is also used a lot by companies. And I know people don’t like Authy but they make it much harder to add new device.
Sounds like Retool needs to educate their employees on phishing instead of blaming Google Authenticator’s syncing feature.
While that phishing attack was indeed fairly basic, how would this have evolved if for example authy was used? Beside requiring the source device to approve the new device, the codes are also encrypted and thus an additional password is needed.
Thank you for sharing the article! I once tried google authenticator and i gave up soon after because there was no sync feature. Now i see codes do sync and google accounts are targeted more because google holds more information now. Blaming the victim for not being instructed or trusting somebody who claims to be a colleague is burying the solution. Expecting to be a victim of an attack, and choosing safety measures is often, if not always seen as irrational. with that in mind we should expect more from the Alphabet owned company since they vallue security over privacy😇
As mentioned later in the article the real issue here is that the company should have been using hardware security keys which are immune to phishing.
That would indeed be a solution though I am not sure if it is user friendly enough for the average employee. This means that they have to bring that key with them all the time. And what happens if they lose the key?
There are solutions for this. Many companies have already moved to security keys including Google. If Google can find a way to manage security keys for all its employees I would imagine many smaller firms could figure it out.
After all no matter how inconvenient security keys may be over TOTP; a breach is far more inconvenient.
This is valid but ignores the fact that usability concerns (at Google scale) must also be accounted for in the threat model. I mean, a huge amount of resources have been thrown at WebAuthn to counteract phishing. I get that any extra step results in a bad UX especially for something “syncing” things seamlessly, but it behooves Google to add options to lock down this syncing of TOTP principals and credentials for folks who might want that extra protection against stupidly easy to make mistakes.