Google made a change to its Authenticator app that lets users keep a “one-time code” in the cloud. This change is meant to help people who lose their phone or device that had their authenticator. They can still get into their accounts with this code. Google says that storing the code in a person’s Google Account is more convenient and secure. It also helps prevent people from being locked out of their accounts. However, some people are worried that this new way of storing codes might not be safe.
A person named u/pojut wrote on the r/Cryptocurrency forum that storing one-time codes in cloud storage linked to a person’s Google account might make them more vulnerable to cyberattacks. If a hacker figures out the person’s Google password, they can get into all of the apps that use the authenticator. To avoid this problem, u/pojut suggested using an old phone just for the authenticator app.
A company that makes cybersecurity software called Mysk warned on Twitter about the problems that come with using Google’s cloud storage for two-factor authentication (2FA). This is a security system that adds an extra step to logging into some accounts, like cryptocurrency exchanges or financial services. The system can be attacked in different ways, but one of the most common is called “SIM swapping.” This is when someone tricks a phone company into giving them control of a phone number, so they can get the 2FA codes that are sent to that number. This can put people’s accounts at risk.
A person filed a lawsuit against Coinbase, a cryptocurrency exchange in the US, claiming they lost 90% of their life savings because of a SIM swapping attack. Coinbase suggests using authenticator apps for two-factor authentication instead of text messages, which they say is the least secure type of authentication.
Google Authenticator’s new update may help users who have lost their authenticator app, but some users are worried about the security of the service. Keeping one-time codes in cloud storage could make it easier for cybercriminals to hack into a user’s Google account and access all linked applications. To protect themselves, users should use a different device to install their authentication app and avoid two-factor authentication via SMS.