Bitcoin Forum

Economy => Exchanges => Topic started by: Oshosondy on May 12, 2023, 07:02:58 AM


Title: Security risk notice: Google Authenticator's cloud sync feature
Post by: Oshosondy on May 12, 2023, 07:02:58 AM
OKX sent me an email today, about the risk of using Google 2FA with cloud sync feature. That it is very risky because it is not end-to-end encrypted.

Quote
Security risk notice: Google Authenticator's cloud sync feature

We'd like to inform you of a potential security risk for Google Authenticator users. Google Authenticator's cloud sync feature is not end-to-end encrypted, and poses a high security risk if you use it to secure your OKX account.

Here's what you need to know about this security risk:

- Google Authenticator stores your private keys used to generate one-time codes every 30 seconds, and is used for two-factor authentication
- When the cloud sync feature is turned on, Google backs up your private keys without encrypting them behind an additional passphrase
- This means that a malicious attack on your Google account will not only leave your passwords vulnerable, but your private key too. This allows hackers to log in to all your accounts with two-factor verification, including your OKX account.

We strongly recommend turning off the cloud sync feature and keeping the private key on your device, or switching to authenticator apps that encrypt your private key when storing it on the cloud.

At OKX, our top priority is the safety of your account and funds. For any further questions or concerns, please reach out to customer support for help.

Regards,
OKX Team

I will not advice you to just turn off the syncing feature on Google authenticator, it is better you go and activate another 2FA codes on your different exchanges and wherever you are using 2FA. Do not use Google authenticator again. There are better 2FA apps.

Quote from: UchihaSarada on May 06, 2023, 03:32:19 AM
  • Aegis Authenticator (https://getaegis.app/) Android, F-droid
  • Tofu Authenticator (https://www.tofuauth.com/) iOS
  • Raivo OTP (https://apps.apple.com/us/app/raivo-otp/id1459042137#?platform=iphone) iOS, Mac
  • Ente Authenticator (https://github.com/ente-io/auth/#readme) Android, iOS
  • andOTP - OTP Authenticator (https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp) Android, F-droid

Those are better authenticators. I will suggest Aegis for Android and Tofu for iOS.

Title: Re: Security risk notice: Google Authenticator's cloud sync feature
Post by: rat03gopoh on May 12, 2023, 07:21:36 AM
Thanks for this urgent attention. This should apply to all accounts using 2fa security methods other than exchanges, this should be on the service's discussion board.
Luckily I retired from using this authenticator app a long time ago due to limited backup methods, and unfortunately, I wasn't able to restore some of the accounts connected to it.

Title: Re: Security risk notice: Google Authenticator's cloud sync feature
Post by: hugeblack on May 12, 2023, 08:44:34 AM
An excellent warning from OKX, although I see a disclaimer of responsibility if Google Authenticator is misused by Google to access user accounts or attempt to collect data about them. If you use trading platforms periodically or in large amounts, it is better to take this warning seriously.

Google has a bad record in dealing with user data and preserving their privacy, and therefore it is better not to think that you are safe by using one of their cloud services.

Thanks for a list of suggestions, I will give -------> https://getaegis.app/ a try.


Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines