Everyone in security will tell you need two-factor authentication (2FA), and we agree. End of article? Nope. The devil, as always with security, is in the details. Case in point: in the last few weeks, none less than Google messed up with their Google Authenticator app. The security community screamed out loud, and while it’s not over yet, it looks like Google is on the way to fixing the issue.
Since 2FA has become a part of all of our lives – or at least it should – let’s take a quick dip into how it works, the many challenges of implementing 2FA correctly, what happened with Google Authenticator, and what options you’ve got to keep yourself safe online.
You probably know or use Google Authenticator, Microsoft Authenticator, or an app like Authy. What all of these authenticator apps have in common is the generation of a time-dependent six digit number, given a secret key. Perhaps you scanned that secret key into your phone in the form of a QR code? If any of the above sounds familiar, you’ve used a time-based one-time password (TOTP).
Under the Hood
What goes on under the hood with TOTP is nothing secret, and in fact you can do it yourself in just a few lines of Python if you’d like to. Basically, it’s taking the secret key, hashing it with a timestamp, and pulling six digits out of the result. The server to which you’re authenticating also has the secret key and a clock, does the same computation, and if they match, it knows that you are you!
This is a great system because a new six-digit “password” is regenerated every 30 seconds or so, which makes it impossible to guess before it expires. Using a one-way hash of the secret and the time ensures that even if an attacker is listening in, they can’t generate the next key, or figure out your secret key from the intercepts. And even if you get phished into typing your six-digit TOTP into a bad web site, it’s a one-time password, so the damage is limited to that one login. (Of course, if they can wipe out your bank account in that one login…)
The underlying secret key in the TOTP is longer and more random than any password a human would choose, and if you’re like most people you haven’t ever even seen it – it’s in that QR code you scanned. So the TOTP secret key is a good password, and it’s only stored in two places: your phone and the server to which you’re authenticating. And therein lies the rub. What happens when you lose your cell phone?
Most authenticator apps have a method of backing up the secret key to another device. The most common is to generate a QR code with your secret key so that you can just take a picture of phone one with phone two. That way, only someone looking over your shoulder at that exact moment can steal the key. But what if you want to back the secret up to the cloud? That’s where Google Authenticator got into trouble.
The secret key is a secret, and in the case of a 2FA token, it’s probably a secret that you really care about. What do you normally do when you send or store secrets? You encrypt them, right? Guess what Google didn’t do when sending the secret key between your phone and their server!
How should cloud backup be done right? It should be end-to-end encrypted. That is to say, on phone one, you should have to type in yet another password to encrypt it before it’s sent out to Google. On the receiving phone two, you enter that same password again to decrypt the TOTP secret. In the middle, Google or anyone else listening in would have to break your encryption to steal the TOTP secret, and you have the convenience of the cloud.
What could go wrong with Authenticator sending the keys in plain text? For one, you might not want to trust Google with your TOTP secret keys. Of course, if you’re using Google Authenticator only to log into Google, they have the secret key already. But if you’re storing all your TOTP keys
in one basket in one convenient app, then Google (or anyone who hacks Google) has access to your bank account too. If Authenticator let you encrypt the keys before backing them up, you wouldn’t have to trust Google at all. Or mostly not.
Authenticator apps are a strange bargain. On the one hand, they provide a non-repeating login that will help defeat eavesdroppers. On the other hand, the secret needs to be used in an unhashed form, both on your phone and on the server that authenticates it. This means that there’s not a super-safe way to store them on the server side, unlike regular passwords which can be stored salted and hashed. So the safety of your TOTP keys relies on the authentication server not getting hacked. Your TOTP keys are much more vulnerable to a server database breach than a regular password.
The TOTP key is also stored in some kind of readable form on your phone. Maybe it’s encrypted with another secret key, but if someone smart got you phone, you’re probably cooked. Worse, this means that you have to trust the TOTP app. Unsurprisingly, there are numerous cases of malware authentication apps out there that simply steal your TOTP secret.
But you also have to trust the authenticator app to respect your privacy. While in principle a TOTP can be generated without any Internet access, and indeed that’s what hardware tokens like the Yubikey do, most cellphone-based authenticator apps phone home. Particularly egregious among these, Microsoft Authenticator sends personally identifiable data about you back to Microsoft even before you’ve accepted the terms and conditions, and does so afterwards when you use it. Authy may be even worse, transmitting which websites you’re logging into. (Video link, great explainer.) It’s not clear whether the info that Google Authenticator sends home identifies you uniquely, but it’s definitely more than is necessary for the software to function, which is none.
This all sounds pretty bleak for 2FA. On the one hand, backup can be difficult, or hard to get right. On the other, the companies that provide you the software are spying on you. Should you just give up?
Nope! Remember, the TOTP system is open and even simple to implement, and there are many open-source apps out there that don’t invade your privacy. RedHat’s FreeOTP runs on iOS and Android, and would be our first choice if we didn’t roll our own. Aegis Authenticator also comes well recommended, but only runs on Android. There must be others, so if you have a favorite, chime in!