peach_fotolia - stock.adobe.com

Google Authenticator synchronization raises MFA concerns

Infosec experts say a synchronization feature added to Google's Authenticator app could lead to unintended consequences for organizations' multifactor authentication codes.

Google this year launched a new feature to its Authenticator app that was designed to improve the user experience. But some infosec professionals say the technology giant has introduced additional risks for organizations.

In April, Google updated its Authenticator app to synchronize multifactor authentication (MFA) codes to the cloud, a feature the technology giant said was requested by customers to preserve MFA codes if devices are lost or stolen. The update was applied to work across iOS and Android devices and was intended to improve users' two-factor authentication experience, according to Google. Users can download the authentication app to receive one-time passwords (OTP) on their devices.

However, an increase in successful social engineering attacks that illustrate vast knowledge of a victim environment as well as effective phishing and vishing techniques show MFA can be bypassed and manipulated. In the case of Google Authenticator, the synchronization feature may have inadvertently added risk to the equation. That was demonstrated by a recent social engineering attack against developer platform Retool.

The vendor disclosed it was breached in late August in a spear-phishing attack that led to the compromises of 27 cloud customers' accounts, all of which were in the cryptocurrency industry. While the attack involved several stages, including vishing calls, Retool blamed the extent of a breach last month on Google Authenticator syncing MFA codes to the cloud.

First, the threat actor sent out a malicious link to Retool employees that contained an MFA code form on a site that resembled the company's internal identity portal. An employee clicked the link, filled out the form and then the threat actor called pretending to be an IT staff member. Retool said the threat actor "deepfaked" an actual IT employee's voice.

Although the employee was suspicious, Retool said they provided an additional MFA code over the phone. That code was part of Okta's authentication platform, which uses OTPs. Retool noted the attack occurred during the company's transition to Okta's authentication platform.

The MFA code allowed the attacker to gain access to the employee's Okta account and add their own personal device to the account. That led to further access, including an active Google Workspace session; as a result, the employee's Google account became compromised.

Retool blamed Google's synchronization update because all the employee's MFA codes were accessible through their Google account. Those codes gave the attacker to access other areas, including Retool's corporate VPN and administrator systems, which led to the compromise of the cloud customers.

"The fact that access to a Google account immediately gave access to all MFA tokens held within that account is the major reason why the attacker was able to get into our internal systems," wrote Snir Kodesh, head of engineering at Retool, in the blog post.

Misplaced blame?

When Google Authenticator's synchronization feature was first introduced, some expressed concern that it posed additional security risks, such as a lack of end-to-end encryption for synchronization traffic. Another concern raised by German app development firm Mysk was that if a threat actor compromised a Google account, all the MFA secrets associated with the account would be exposed. For these reasons, several cryptocurrency companies, such as Delta Exchange, advised customers to disable the synchronization feature.

Cryptocurrency firms later saw those concerns realized with the Retool breach. However, other infosec experts agreed many other steps are required for an attacker to take advantage of the synchronization feature and gain significant access to a victim's organization. Jeff Nathan, security researcher and director of detection engineering at Netography, said Retool's blame was misplaced, as Google was just mirroring what so many other companies like Duo Security are doing.

"For Retool or anyone who uses OTP that show up on your phone, that's phishable. Unfortunately, the pattern of letting you add your own device is how people might make a small phishing thing much worse," Nathan said. "If Retool was using WebAuthn, it never would have happened in the first place."

Similarly, Jack Poller, an analyst at TechTarget's Enterprise Security Group, said catastrophic events don't occur from one big issue alone. He compared the social engineering tactics used in the Retool attack to the MGM Resorts International and Caesars Entertainment attacks recently. Okta revealed that several customers, including the Las Vegas resorts, were compromised in a social engineering attack against the identity and access management vendor last month.

"It's because of a sequence of small issues that combine to lead to a greater failure, and the Retool attack follows this pattern," Poller said in an email to TechTarget Editorial. "There were many points during the sequence of events that small decisions could have been made differently that would have turned this major breach into a relatively minor event."

ZeroFox CTO Mike Price said using SMS codes is risky due to the increased number of social engineering attacks that lead to code compromises. The network security vendor recently observed an increase around cloaking techniques where attackers can essentially display malicious phishing pages to their targeted demographic.

While Price does recommend that ZeroFox customers use an MFA app like Google Authenticator because it can't be socially engineered directly, it does pose other risks. For example, if a user's phone is compromised, then the MFA app would be as well. Additionally, devices that are not fully updated increase the chances that attackers will gain access.

He also said Google Authenticator's lack of end-to-end encryption poses additional risks.

"It also appears that the phone will sync your Google Authentication codes up the servers, and there are points afterwards where they could be unencrypted. It's a little difficult to say exactly when and where and for how long. Therefore, they could be compromised in the future through some probably complex series of events," Price said. "The practical risk is low, but it exists, whereas before it did not."

At the least, he said, organizations need to now implement an MFA option and having an app like Google Authenticator directly on the phone is more convenient. "Having it saved to the cloud makes it slightly harder to sleep at night – like, 'Is my account secure? I'm a little more nervous now where I wasn't before,'" Price said.

Passwordless push

In Retool's blog post last month, Kodesh claimed there wasn't a "clear way" to disable the synchronization feature. According to Google's blog post in April, users simply had to update the app and follow prompts to turn on the feature. But it did not address how to disable it.

However, the blog post did promote passwordless security. "We've been also been working with our industry partners and the FIDO Alliance to bring even more convenient and secure authentication offerings to users in the form of passkeys," Google wrote in the blog post.

Nathan interpreted that as Google preferring that users don't enable the synchronization feature and move away from usernames and passwords altogether. "This is a whole lot of writing to say 'We really wish people wouldn't use this. But if you're going to use it, everyone is asking us to do it this way, and we've added this feature,'" he said.

In a statement to TechTarget Editorial last month about Retool's claims, Google again promoted passkeys, which are phishing resistant.

"Phishing and social engineering risks with legacy authentication technologies like ones based on OTP are why the industry is heavily investing in these FIDO-based technologies," Google wrote in an email to TechTarget Editorial. "While we continue to work toward these changes, we want to ensure Google Authenticator users know they have a choice whether to sync their OTPs to their Google Account or to keep them stored only locally. In the meantime, we'll continue to work on balancing security with usability as we consider future improvements to Google Authenticator."

Passkey support among major vendors has increased lately. This month, Okta was the latest to launch passkey support during its Oktane 2023 user conference in San Francisco.

Passkey adoption, however, will take time. Companies like Okta are implementing additional security measures to prevent the compromise of credentials and, most importantly, MFA codes. Price offered additional steps security teams can take to defend against evolving social engineering campaigns. The Number 1 method is for enterprises to be secure by design, he said.

"In a scenario where somebody calls IT help desks and asks for critical information, the person would need to be trained to expect this. And there should be technical countermeasures that prevent single points of failure. For example, two trained people need to review and access, at the same time, sensitive information," he said.

Dig Deeper on Identity and access management