Google has released an update to its popular Authenticator app, which stores a "one-time code" in cloud storage, allowing users who lose a device with an Authenticator to retain access to two-factor authentication (2FA) access rights.
In a blog post announcing the update on April 24, Google said the one-time codes would be stored in users' Google accounts, claiming that users would have "better protection against lockouts" and would increase "convenience and security."
In a Reddit post to the r/Cryptocurrency forum on April 26, Redditor u/pojut wrote that while the update does help those who have lost their devices and their authenticator apps, it also makes them more vulnerable to hacks. By saving it in cloud storage associated with the user's Google account, it means that anyone who has access to the user's Google password will then gain full access to their Authenticator-related apps. One potential solution users have suggested to fix SMS 2FA issues is to use an old phone that was designed specifically to install your authenticator app.
"I also strongly recommend that if possible you should have a separate device (maybe an old phone or old tablet) whose sole purpose in life is to be used for the authentication app of your choice. Nothing else on it, nor Useless." Likewise , cybersecurity developer Mysk warned on Twitter that Google's cloud storage-based 2FA solution would introduce additional complications. This could be a significant problem for users who use Google Authenticator for 2FA to log into their cryptocurrency trading accounts and other finan cial-related services.
The most common 2FA hack is a type of identity fraud known as "SIM swapping," where scammers take control of a phone number by tricking telecom providers into linking the number to their own SIM card. A recent example is a lawsuit filed against US cryptocurrency exchange Coinbase, in which a customer claimed to have lost "90% of his life savings" after falling victim to such an attack.
It's worth noting that Coinbase itself encourages the use of authenticator apps for 2FA over SMS, describing SMS 2FA as the “least secure” form of authentication. On Reddit, users discussed the lawsuit and even proposed banning SMS 2FA, although one Reddit user pointed out that it is currently the only authentication option available for many fintech and cryptocurrency-related services:
"Unfortunately, many of the services I use don't yet offer Authenticator 2FA. But I definitely think the SMS method has proven to be insecure and should be banned." Blockchain security firm CertiK has warned of the dangers of using SMS 2FA, with its security expert Jesse Leclere telling Cointelegraph, “SMS 2FA is better than nothing, but it is the most vulnerable form of 2FA in use today.”
