Why did Google weaken their own 2FA Authenticator?

Risk Management
Written By Ian Wright

Introduction

A recent blog post from Retool claimed that the Google Authenticator "Account synchronization" feature was to blame for enabling an attacker to access Retool's internal systems. So has Google really added a feature that puts users at risk? If so, why did they do it?

Authenticator Account Synchronization

In April this year Google announced a new Authenticator "Account synchronization" feature. This was designed to backup Authenticator one-time passwords (OTPs) by storing the underlying secret used to generate the OTPs in the user's Google account.

While there is a clear need to securely backup these secrets, simply storing them in the user's account without any additional protection does significantly change the security properties of the Authenticator. More specifically, this feature means that one-off access to a user's Google account could now give an attacker the ability to generate OTPs for any existing authenticator-protected accounts for an indefinite period. 

In a world where attackers are increasingly focusing on social engineering and are utilising techniques such as deepfake audio to convince users to hand over passwords and OTPs (as happened in the Retool attack) this does look like a significant weakness. It is also noteworthy that similar 2FA backup solutions, such as the passphrase protected approach used by Authy, do not weaken security in the same way.

So if this change represents a security downgrade for the Authenticator, then why did Google do it? The somewhat counterintuitive answer is that Google probably made this change because it is likely to increase the security of their overall user base.

Two Factors are Better than One

The real problem here is password based authentication. The human tendencies that lead us to create (and frequently reuse) weak passwords, combined with the sheer number of leaked account emails and password hashes from various breaches and the relative ease at which compromised hashed passwords can now be cracked, leads us straight to a very simple conclusion: password-based authentication simply does not work anymore. It needs to go away. Preferably quickly.

From Google's perspective, anything that hinders adoption of 2FA represents a clear and present security risk to their customer base, 2FA device recovery is one of these problems. 

If the device with the Google authenticator is lost, stolen or just stops working, then recovering access to all your accounts can be a complicated process. Complexity is something that people will always try to avoid, so not having a good solution for this is very likely to lead to fewer people adopting Google's 2FA solution.

In essence, Google seem to believe that having a higher proportion of their customer base using a slightly weaker (but more user friendly) version of 2FA represents less overall risk than having a more secure 2FA offering that is used by fewer people.

It is hard to argue against this, they are probably right.

Simple chart showing the relative security of Google's Authenticator, Authenticator with Cloud Sync, and a password.

What Went Wrong?

Where Google appear to have dropped the ball here is around the way this change was communicated and the level of control given to those customers that had already adopted the Authenticator. 

Existing Authenticator users are likely to be those that use their Google account for business purposes or are generally more security conscious. From their perspective, this change could easily be seen as a security downgrade so pushing this out without carefully and clearly explaining the associated security considerations was a mistake. 

Google may have done the right thing from the perspective of their overall user base but that is probably not going to make the people at Retool feel any better about what happened.

Conclusion

There is no such thing as the perfect 2FA solution. Hardware keys can be expensive and inconvenient, software based TOTP or HOTP secrets may be lost or compromised and SMS based solutions are vulnerable to SIM swapping and mobile-network based attacks. Also, none of these solutions will ever provide complete protection against a sophisticated social engineering attack.

The key point to remember is that an imperfect 2FA solution is still likely to be far more secure than something based on a single password. When it comes to evaluating a 2FA solution it definitely pays to make sure that you don't let great be the enemy of good.

The bottom line here is that Google probably did the right thing, they just went about it in the wrong way.

Ian Wright
Previous

Phishing with FIDO
Next

A Million Weak SSH Keys?