Multi-factor authentication (MFA), also known as 2-Step Verification, is a layered approach to securing your accounts. It combines two or more ‘authenticators’ like biometrics (e.g. your fingerprint), physical tokens and one-time passcodes to verify your identity.
Popular authenticator applications now include Google Authenticator and Microsoft Authenticator as they generate one-time passcodes.
What's the problem
One of the biggest challenges with adopting MFA via authenticator applications is the risk of losing the device that stores the app and authenticator codes for your important accounts like banking, email and social media accounts.
Losing the one-time passcodes, and therefore access to your accounts, could begin a long, time consuming recovery process.
To combat this issue, it’s possible to sync the codes to the cloud, and across devices. Then, if the device is lost, you can log in to your account (e.g. Google or Outlook) on a new device and retrieve your MFA codes.
What's the security concern?
Unlike other authenticator apps, Google Authenticator doesn’t use end-to-end encryption for codes uploaded to their cloud servers, making them susceptible to hackers during the sync. This also means that If an attacker gains access to your Gmail account, they could access all the one-time passcodes linked with your account at the same time.
This was what happened at Retool, a software development company.
The Retool story
Retool blamed a $15 million crypto currency hack on the Google Authenticator Cloud Sync feature.
The attack started when several Retool employees received targeted texts, claiming that a member of their IT team was dealing with an account issue that would prevent healthcare coverage [1].
An employee clicked the link in the text message and provided login details, including a MFA code. Shortly after, the employee was contacted by the attacker who was impersonating IT Support. They then handed over another MFA code which let the attacker login into the employee account and register their personal device to produce their own MFA codes.
The use of Google Authenticators Cloud Sync feature played a key role in this breach, as the attacker could access all MFA codes saved to the employee Google account, including several company accounts.
Convenience versus risk
Although syncing MFA codes across devices is convenient, it carries significant security risk if your account is compromised.
If you’re syncing high risk accounts (like business accounts or those with client information), I recommend switching this feature off so it can’t sync to the cloud and only allow authenticator apps to store secrets locally.
If you’re worried about device loss, you can generate and safely store or print one-time backup codes for your most valuable accounts.
It’s worth noting that there’s no way for an administrator to centrally disable Google’s Cloud Sync. If you are relying on Google Authenticator in your business, you’ll need to ask employees to switch off Cloud Sync themselves on their own devices.
How to turn off Cloud Sync:
Just follow these simple steps:
- Open Google Authenticator
- Select your picture
- Select "Use without an Account" from menu [2].
You’ll know the app has been switched off when you see a line through the cloud symbol.
Turn on multi-factor authentication (MFA) for your Parmenion Account today
We offer MFA for our platform and it only takes two minutes to set up through our secure Parmenion App. All you have to do is:
- Download the Parmenion mobile app
- Login to your Parmenion account via the Parmenion mobile app (this will automatically link your device to your account)
- Next time you login to your account via the browser, you'll be asked to authenticate using your mobile device.
