Is Google Authenticator Safe to Use?
Working on the internet is always associated with the risk of personal information leakage and the loss of digital assets due to account hacking. Therefore, no matter the complexity of the password you create, it is better to have a second level of access verification. In this way, you will make life much more difficult for hackers. A 2FA code generation program will be quite a suitable option for this.
There is probably not a single online service that would not recommend that its users activate additional account protection using Google Authenticator. Setting this option is sometimes even a prerequisite. It’s better to let the user use 2FA than risk losing their data.
However, what is this type of program, and is Google Authenticator safe to use?
Previously, we’ve talked about Google Hangouts. Here, you can learn more about it.
What is 2FA?
Setting up 2FA includes additional factors for logging in, for example using SMS, fingerprints for using a particular device, or a six-digit Google Authenticator (GA) code.
More information about 2FA and its comparison with other security methods can be found here.
What is Google Authenticator?
This service provides two-step authentication for quick access to sites where you need to be registered. Instead of standard credentials, it presents the user with a code of six or eight digits for authentication on a particular site.
-What is a six-digit GA code?
It is a one-time password that is constantly being generated* for 30 seconds at a time. During this time, you will need to enter it in the corresponding field when logging in to the service or to other systems where you have 2FA protection.
*Note: The code is generated even when the internet is disconnected.
After entering such a code, the user becomes authenticated in the system using their credentials from a Google account.
The service is implemented in the form of an application for mobile devices based on Android and some other operating systems, and it must be downloaded and installed before using the authenticator.
By the way, the initial versions of applications for this service were distributed by the developer’s as open source. But all the newer versions have recently become the intellectual property of the developer — in this case, Google.
Learn more about Google security here.
As mentioned earlier, Google Authenticator is designed for two-factor authentication (2FA), which provides an additional level of security when confirming the identity of users requesting access to an online account. So, to get access, the user must first enter a username and password and other data:
- Additional information (personal identification number, password, answers to “secret questions” or a certain sequence of keystrokes).
- Proof of ownership (standard means are suitable: credit card, smartphone or hardware token).
- Biometric data (relevant for advanced level: biometric fingerprint, iris scanning, or voice printing).
So even if the password is stolen or the phone is lost, the risk of unauthorized access to your information is almost zero.
How do you come up with a strong password? First, read our fully-fledged guide.
Is Google Authenticator safe to use?
The main feature of Google Authenticator is that a secret key is generated every 30 seconds. And even if an attacker manages to find out your basic authorization data (login and password) in any way, it will be problematic for them to intercept the code from the application to confirm the login from an unknown device to your account. More precisely, it is not realistically possible. So this increases the protection of your account and your data several times.
But in 2020, specialists discovered the only vulnerability associated with the 2FA codes of Google Authenticator. It was done by the specialists of the ThreatFabric company. The malware involved is called Cerberus. According to the research, the code-stealing feature has been under development and hasn’t been used in real attacks on ordinary users.
Cerberus is a hybrid of a banking Trojan and a Remote Access Trojan (RAT) for Android devices. When this Trojan appears on a device, it will steal all bank details.
However, suppose the victim’s account is protected using the 2FA of the Google Authenticator application. In that case, Cerberus acts as “a rat” and provides its operators with remote access to the device. Then hackers open Google Authenticator, start generating a one-time code, take a screenshot of it, and then use it to access the victim’s account.
As it turned out, the Android OS allows applications to protect their users from other applications’ ability to take screenshots of their content. For this to work, the FLAG_SECURE option must be added to the app settings. But Google didn’t add this feature to GA.
By the way, Google could have fixed this problem back in 2014, after a GitHub user wrote about it but did not do it. According to the latest data, this vulnerability remains uncorrected, despite the wide publicity of this problem.
Google is tracking you all the time. Here are the details.
Can I be hacked with 2FA Google Authenticator?
As you know, in addition to providing the needed password code when logging in, the user should enter a specific code that generated by GA. It is a secure alternative protection method that used by many people instead of SMS one-time password. As a rule, people trust the alternative method and ensure the security of their accounts.
Even though Google Authenticator is a fairly secure application (despite the previous paragraph, where a rather technical vulnerability was considered) there have still been cases when hackers stole authentication codes from Android smartphones. They do this by tricking the user into installing malware that copies and sends the codes to the hacker.
The Android operating system is easier to hack than the iPhone iOS. Apple’s iOS is private, while Android is open-source, which makes it easier to install malware.
How to protect your data on the various apps and services? First, read the article and follow the rules.