The unencrypted transmission is critical for further reasons. As a man-in-the-middle, the heise editors were able to detect the secret as Base32-encoded in the data stream. The TOTP secret was transmitted to Google during synchronization via the network. My reading of Mysk's text, however, is that these very "secrets" were not found in the transmitted messages.Īt German site heise the editorial team has analyzed the whole thing and writes in this article that they were able to reproduce the problem under Android 13. Articles like this one now say that the Authenticator app secrets could also be accessed by Google or third parties – which would allow the same passkeys to be generated. However, it is unclear whether this seed (the secret) is backed up to the Google account with in plain text. This transfer probably does not contain the seed (or secret code) used to generate the one-time codes. The security researchers published screenshots in the tweet as well as in this post that show what is transferred during the backup and then ends up in plain text on the Google account. The transmission only took place via TLS, so that a man-in-the-middle attack cannot read the data. When Mysk analyzing the network traffic during the backup of the passkey, it was noticed that this data is not end-to-end encrypted. Mysk (iOS developer and security researcher) points this out in a tweet. Unfortunately, the Google developers fell a bit short, because the transfer of the passcode through the Authenticator app to the user's Google account is unencrypted and thus potentially insecure. Geht das Gerät mit der installierten Google Authenticator-App verloren, lässt sich der benötigte Passcode mit einem neuen Gerät über das zugeordnete Google-Konto synchronisieren. Nach einem Update der Google Authenticator-App haben die Nutzer nun optional die Möglichkeit, den auf dem Gerät vom Google Authenticator gespeicherten einmalige Code (Passcode) mit ihrem Google-Konto zu sichern. If the device with the installed Google Authenticator app is lost, the required passcode can be synchronized with a new device via the assigned Google account. While there are security codes during setup that can be used to unlock the whole thing – they are often lost or misplaced.īased on a lot of user feedback, Google then announced a new feature on Apin the article Google Authenticator now supports Google Account synchronizationAfter an update of the Google Authenticator app, users now have the option of backing up the unique code (passcode) stored on the device by Google Authenticator with their Google account. Then the unique code (passcodes) stored on the device by Google Authenticator is lost, and users can no longer log in to the services in question, with two-factor authentication (2FA) set up in Authenticator. The problem with this approach, however, is that dealing with the Google Authenticator can become quite complex if the device on which the app is installed is stolen, lost or simply broken. The app is intended to increase user security when logging into online accounts. The Google Authenticator app is available for both Android and iOS. Google Authenticator was released in 2010 as a free and easy option for websites that require two-factor authentication (2FA). Backup of passcodes in the Google Account
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |