Are Your Google Authenticator Codes Truly Secure?
James Harper
Cybersecurity Compliance ? Speaker ? CMMC CCA ? CISSP ? CCSP ? Program Management ? Team Builder
Many of us trust Google Authenticator to add a layer of security to our accounts. But, Google Authenticator has a serious security vulnerability which makes it unacceptable for CMMC compliance and dubious for general use.
By default, Google Authenticator syncs your one-time codes to your Google account in the Cloud. I do not use Google Authenticator. But, I installed it on my Android device to test this out. What I discovered is that Google Authenticator has an icon indicating that codes have been saved to the cloud. I clicked on the cloud icon in the app a couple of times and did not immediately see an intuitive way of turning off this feature.
While Cloud Backup offers convenience—allowing you to recover codes if you lose your device—it also introduces a significant security risk. If an attacker gains access to your Google account, they could use these synced codes to install Google Authenticator on their own devices and use your MFA credentials.
领英推荐
For CMMC, MFA authenticator codes are considered Security Protection Data (SPD). As such, if stored in the Cloud, the Cloud must meet FedRAMP Moderate requirements. The consumer version of Google Cloud does not meet these requirements. In addition, these codes are specially used to protect access to CUI. That means that transmitting them over a network to the Cloud requires FIPS 140-2 validated cryptography per SC.L2-3.13.11. The Google Authenticator app does not appear to employ FIPS 140-2 validated encryption.
For general users, Google Authenticator may be a reasonable choice if you turn off cloud synchronization. To do this, change the configuration settings in the Google Authenticator app to "Use without an account." This will prevent your MFA keys from being uploaded to the Google Cloud.
#Cybersecurity #MultiFactorAuthentication #GoogleAuthenticator #CMMC #PhishingAwareness
CISO IT/OT Cybersecurity Officer at Siemens Healthineers
2 个月This is a configuration option that may not be ideal for some use cases but it is in no way a “serious security vulnerability”. It is a well documented feature
Turning CMMC Complexity Into Simplicity | vCISO for DIB Suppliers | CISSP Certified | 14+ Years of Passion | 40+ Businesses Secured | Opinions are my own
2 个月James, Great insights on Google Authenticator's limitations! It’s surprising that its cloud sync lacks FIPS 140-2 encryption, especially given how critical MFA codes are for securing CUI under CMMC. This is a crucial reminder about balancing convenience and security. Curious—do you think this could push more organizations toward hardware-based MFA solutions? Have you explored alternatives like Yubico or Microsoft Authenticator? They seem better suited for meeting compliance needs.
???????????????? ???????????????????????????? ?????? ???????????????? ???????????????????? | Eagle Scout
2 个月I agree for most people, as they may enable 2fa, however forget to update the other methods of getting into their account. This is the main reason IMO that what you're saying is true for a lot of people. A potential way to not have to worry as much about this, is to ensure that you remove insecure login/recovery methods such as through phone numbers, update your password to a long passphrase, and make sure backup codes are enabled and stored in a secure password manager or physical safe, passkeys are enabled, and you regularly review devices that are connected to your account and applications that are connected and have permission to your account.