Google Authenticator: Why You Should Get Rid Of It ASAP
When Google Authenticator first appeared on the scene in 2010, it seemed to offer nothing short of a revolution in cybersecurity. Over the past 10 years, however, Google Authenticator has struggled to keep up with the changing face of cybercrime and is now being criticized for its dependency on the vulnerable Time-based One-time Password (TOTP) verification process.
Not only is Google Authenticator outdated, but it could also expose you to unnecessary cyberthreats. Read on to find out what the issues are, what you should look for in a 2FA app, and where the vulnerabilities lie.
Google Authenticator: Why You Should Get Rid Of It ASAP
The basic premise behind Google Authenticator and other similar 2FA apps is to add a second layer of security to protect users’ sensitive login information. In most instances, it uses a combination of something you know and something you have, to verify your identity.
In the case of Google Authenticator, the first is your password and the latter the mobile device that you’ve installed the Google Authenticator app on to. This type of 2FA uses an application-specific secret key to verify your One-Time-Pins (OTPs).
Google Authenticator relies heavily on the Time-based One-time Password method which creates an OTP on the user’s device via a smartphone app through the following process:
- A backend server creates a secret key for each user
- The server shares that key with the user’s phone app
- The phone app initializes a counter
- The phone app generates a unique OTP using a combination of the user’s secret key and the counter number
- After a certain period, the phone app resets the counter and regenerates the OTP accordingly.
This all sounds great – new OTPs are created constantly, making them dynamic and therefore secure – so where’s the problem? Well, pretty much everywhere, and there’s not just one security flaw either, there’s a handful of them.
Short secret key
Google Authenticator relies on an 80-bit secret key, whereas the minimum recommended length is 126 bits and a secret key of 160 bits considered more secure. It stands to reason that “generating passwords with more digits exponentially reduces the probability of a successful attack” and Google Authenticator’s inability to do that causes its first serious vulnerability.
Google Authenticator uses both TOTP algorithms and HMAC-based One-Time Password (HOTP) algorithms to authenticate its users’ identities. HOTP relies on a hardware token, whereas TOTP software-based, making it more vulnerable to software-based attacks, such as malware infections and Distributed Denial of Service or DDOS attacks, and Man-in-the-Middle incidents.
It’s Still Using SHA1
SHA1, or Secure Hash Algorithm 1, was developed by the US National Security Agency as a Federal Information Processing Standard but hasn’t been considered secure since 2005. While Google Authenticator supports the newer and more secure SHA-256, it defaults to SHA1. Furthermore, some users claim that it “will always use SHA when computing the six-digit code, even if it has been told to use SHA256”. In part, this is purely historical – SHA1 was the recognized standard when Google Authenticator was created and its failure to keep up with regular patches and updates has left it lagging behind the competition.
Biometrics Are Nowhere to be Found
Cybersecurity apps like Google Authenticator didn’t have the option of using biometrics in the 2FA process in 2010, but now Google Authenticator’s “lack of support for iris scanners and comparable solutions is a glaring inconvenience”. The app doesn’t even have a passcode to prevent unauthorized users from accessing it, leaving its security features sadly lacking.
Cumbersome Installation Process
Not only does Google Authenticator only run on Android, Blackberry, and iOS, it also needs to be manually set up on each of your devices. If you just have a laptop and a smartphone, this isn’t too much of a problem, but if you’re gadget fiend who device surfs a lot, it could be both time-consuming and frustrating. Although you can set Google Authenticator up on several devices simultaneously, some say this is more problematic and means that “a change to one of the installations would have to be done across all devices”.
Limited Access and Recovery Support
Google Authenticator provides good security practices to some degree and, by not keeping backups of your saved sites, it reduces the likelihood of your login information being hacked or stolen. On the downside, however, without any backups, if you lose access to your smartphone, you’ll be completely locked out. Although you can use the backup codes provided by the system to recover your account, the process may take several days, during which you might be in the precarious position of being locked out of all your business accounts.
2FA and Its Vulnerabilities
When 2FA first materialized, it seems like the answer to our cybersecurity prayers. Not only would it take some of the pressure off passwords and patch some of the password-related vulnerabilities responsible for most cybercrimes, but it would also give users an extra layer of protection. It seems, however, that 2FA is not all it was cracked up to be.
One of the primary flaws in traditional 2FA is how vulnerable it is to SIM hijacking. Hackers committing this cybercrime are able to convince your mobile provider that they’re you. They manage to pass the 2FA process by using personally identifiable information acquired through a variety of dubious means, including buying it off the Dark Web. Once the cybercriminal has control over your mobile phone number, he or she will receive your OTPs from Google Authenticator, giving them access to everything from your Netflix account to your bank account.
Cybercriminals may also be able to exploit flaws in your 2FA protection through:
Phishing – the cybercriminal sends an email that looks like it’s from a valid site or service but, once the user clicks on the link included in the email, they are confronted with a site that looks legitimate but is, in fact, hosted on the cybercriminal’s server, giving them access to the user’s session cookie. If the hacker can steal the user’s session cookie, they “don’t need their username, their password, or their two-factor”.
Man in the Middle – these attacks occur when the cybercriminal intercepts the traffic traveling between the 2FA app’s server and the user’s device.
Account Recovery – many users reveal sensitive information on social media, unwittingly giving cybercriminals the information they need to complete an effective 2FA hack. For instance, if you use your mother’s maiden name as part of your 2FA login process, a hacker could easily find that information on Twitter or Facebook
Social Engineering – by pretending to be a legitimate service provider, the cybercriminal tricks their victims into sharing account details and even their OTP.
Staying Secure with 2FA
There are different solutions to the problems listed above and there have been developments in both the software and hardware side of things that can boost your security and protect you and your personal information.
When it comes to man-in-the-middle attacks, for example, the best VPNs encrypt all the data traveling to and from your device, making it a lot harder for hackers to intercept your communications. VPNs like ExpressVPN have advanced features like Always On which ensures you’re protected every time you go online, and zero-knowledge architecture that reduce the risk of your data being hacked or leaked.
Some banks are also using VPNs to improve security for their customers. “To log in to an account, the certificate on the device must match the certificate assigned to the account. Since it operates independent of SIM cards, the VPN credential prevents SIM hijackers from accessing users’ accounts”.
Sim hijacking requires a different approach, however, and security keys are offering a viable solution. Instead of verifying your identity by entering a code that has been sent to your smartphone, security keys “are little devices (typically USB, NFC or Bluetooth) that computer cryptography keys and serve as a more secure second factor that only you can physically possess”.
The best password managers also have a few useful features to bring to the table and some of them have added 2FA app functions to their software to make them more versatile and effective. Both Dashlane and 1Password have 2FA capabilities and provide users with encrypted vaults in which to store sensitive information. Of course, you can’t use a password manager’s 2FA capacities to log into the password manager app itself, but the likes of Dashlane will give you a simple way to install 2FA and sync it across all devices.
Google Authenticator’s security flaws leave users vulnerable to identity theft as well. We recommend using an identity theft protection service like Identity Guard as well. Although Identity Guard can’t necessarily stop your identity from being stolen, it will monitor your personally identifiable information and alert should your social security number or date of birth turn up for sale on the Dark Web.
New solutions and technological innovations are emerging almost daily and one of the most comprehensive comes in the form of Privafy – a cloud-native product designed to secure data in transit by “integrating the capabilities of encryption systems, virtual private networks (VPNs), firewalls, distributed denial of service (DDoS) protection, intrusion detection, and prevention systems, data loss prevention, and deep content inspection technologies”.
You don’t have to abandon 2FA altogether, however, and most cybersecurity experts agree that you shouldn’t. What you can do is find a 2FA app that offers biometric protection for the app itself, a simple setup process for multiple devices, an effective and reliable back-up and restore system, and, ideally, both biometric-based multifactor authentication and end-to-end encryption.
Secure Alternatives to Google Authenticator
One of the most popular 2FA apps around is the easy-to-use Authy which uses PIN and TouchID to protect your 2FA tokens while avoiding Man-in-the-Middle attacks by generating 2FA tokens on your device, rather than sending them to you via push notifications or SMS.
Authy encrypts all your 2FA and backs it up on secure cloud storage, so you don’t get locked out. Authy users can access their 2FA tokens on any device and sync their 2FA information across multiple devices. You can also improve security by disabling any future installations of the app.
LastPass is not only one of the best password managers around but it also offers effective 2FA protection at the touch of a button. Once you’ve paired LastPass Authenticator with your favorite sites, you’ll be able to login securely with a single tap. LastPass Authenticator supports automated push notifications, SMS codes, and 67-digit passcodes.
Like Google Authenticator, both LastPass Authenticator and Authy are free to download but, where Google Authenticator leaves its users exposed to SIM hijacking, LastPass and Authy have a multi-device feature that you can switch off. This means no one will be able to recover codes when that feature is deactivated, providing a “simple but effective way to prevent authorized devices from gaining access to your authenticator apps”.
The Future of 2FA
Developments in biometric 2FA look promising and some predict that “biometrics will play a key role in the future of mobile authentication”. Face recognition software is already in use, with Apple’s Face ID leading the way in terms of providing “dedicated hardware for security”, and a report by Juniper Research indicated that “facial recognition will read more than 800 million mobiles by the year 2024”.
Even biometric 2FA has its drawbacks, however, and, “unlike passwords or PINs, facial and voice recognition require a well-lit space that is free of motion, vibration, or white noise”. This is inevitably pretty challenging for those constantly on the move.
The developers of the Trusona password-less two-factor authentication system believe they’re onto something even more secure and reliable than biometrics. According to the product’s website, “Trusona’s Way Better 2FA generates unique, dynamic credentials that can’t be reproduced”.
Cybersecurity advisor, Frank Abagnale, says Trusona’s system means a user could buy a car and finance it through the bank without revealing to the dealer which bank it is, the user’s account number, or how much money they make. Furthermore, he says, “with Trusona, all of the data is kept with the bank or the phone company; we keep none. So, if tomorrow they would hack Trusona, they get nothing”.
Google Authenticator has had its part to play in internet security but it’s reaching the end of its usefulness. An absence of patches and updates has left Google Authenticator lagging far behind the competition and has exposed users to a range of potentially damaging vulnerabilities.
The flaws affecting Google Authenticator users don’t stop at security either, and if you get locked out of your account, you could end up locked out of all your accounts, from your online banking to your social media platforms, for days at a time.
Although we could soon enter a world without passwords, in the meantime, choosing a 2FA authenticator app that can protect you against SIM swaps, man-in-the-middle attacks, and phishing attempts is the best way to boost your online security. Similarly, security keys offer a more robust form of 2FA that you can physically keep track of and never have to share online.
Many of the best password managers have integrated 2FA apps into their software, giving users comprehensive and versatile cybersecurity protection. While we wait for Trusona to roll out the “only insured verification system”, protect yourself with something like Authy or Last Pass and add to your internet security suite by using a password manager and a VPN.