Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
Why is this bad?
Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵
Random Website: You need to set up #2FA with your phone number!
Me: Why?
Website: In case we get hacked!
Me: I don't really care, no one even knows about this account and it doesn't have my personal information.
Website: You misunderstand, it's so that in case we get hacked, we HAVE your information to leak to the hackers. They worked hard and deserve it! Also we sell your account to ad companies but they're not interested unless they can tie it to a real person.
Cool, all my #2FA tokens are gone. Because an #OpenSource project got bought by a shady company, which now, after almost a year of owning it, broke the app with their first(!!) update to it!
Oh and of cause they want money in form of a subscription now. Can't make this shit up.
@pypi now requires #2FA for new user registrations in order to publish or create new projects. This is part of a broader effort to require 2FA for all users of #PyPI by the end of 2023.
For all of those using #23andMe or similar services, here's a periodic reminder on how to properly protect your #biometrics DNA #2fa factors:
Regularly (at least once a year,) change your genetic code. Small random mutations are insufficient, a new code should be generated.
Never use the same genetic code on more than one service.
Select a strong genetic code. Use at least 8 great-grandparents, and at least 1 billion base pairs.
Never share your genetic code with anyone. We will not ask for your genetic code, and giving your genetic code to a co-worker or friend can result in disciplinary actions, including infectious diseases, romantic angst, and unwanted lifetime financial and caregiving responsibilities.
🚨 PSA: #PyPI is requiring #2FA in 2024 to publish new releases. If you're a developer of #Python packages then you need to enable 2FA in addition to adopting either Trusted Publishers or API tokens before publishing new releases.
For years, I’ve seen questions from inside and outside of the 1Password community about the safety and security of storing certain secrets (like passwords) alongside other secrets (like TOTP). There’s a lot of misinformation out there. A coworker of mine, who is smarter than I am, writes about and clarifies the topic here: https://blog.1password.com/totp-for-1password-users/
Behold! Thanks to the power of the Watchy development platform, I now have all my 2FA codes available at the flick of my wrist! HOWTO This uses Luca Dentella's TOTP-Arduino library. You will need a pre-shared secret which is then converted into a Hex array. Use the OTP Tool for Arduino TOTP Library to get […]
I still like their product as it allows sync between devices and it's intuitive to use. Also credit where credit is due: They mention alternatives on their own support page.
So, in case anyone still thinks that patching and security in general is not so important nowadays: Found already several tries of exploiting the recent critical CVE-2023-7028 vulnerability in the logs of my GitLab instance although it was only published a few days ago.
Conclusion:
✅ Install security updates literally ASAP.
✅ Turn on mandatory 2FA for all users.
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.