2-factor authentication (2FA) is one of the most important measures Bitcoin and crypto owners can take to protect their exchange accounts and others from hackers. By far the most widely used 2FA method is Google Authenticator; hardly any crypto users are likely to be unfamiliar with the app.
Google Authenticator adds an extra layer of security to exchange accounts by adding a second verification step when logging in. This means that in addition to entering a password, users also have to enter a six-digit code generated by the Google Authenticator app on their phone.
New Google Authenticator Update Carries Big Risk For Crypto Users
In an announcement released yesterday, Google released version 4.0 for iOS and Android. The new version introduces cloud syncing.
This means that crypto users will be able to sync Authenticator-generated verification codes with all Google accounts and devices, and retrieve verification codes any time the device is lost. In other words, the one-time codes are stored in the user’s Google account and are no longer device-dependent.
This is supposed to make it easier to sign in with Google Authenticator, which was released back in 2012. As Google writes, a key feedback over the years from users was that there was too much complexity in dealing with lost or stolen devices that had Google Authenticator installed.
Losing a device meant crypto users initially lost their ability to log in to any services they had set up 2FA for with Authenticator. Only a backup code created when the app was installed could restore all login codes to a new Google Authenticator app running on a new device.
With the 4.0 update, Google introduces a more simplified solution to this problem: “With this update we’re rolling out a solution to this problem, making one time codes more durable by storing them safely in users’ Google Account. This change means users are better protected from lockout and that services can rely on users retaining access, increasing both convenience and security.”
However, blockchain security firm SlowMist points out in a tweet that this easier handling comes with greater risk. If users lose access to their email clients, for example, due to a hack, all access protected by Google Authenticator is at risk, SlowMist says:
If you use this backup method, the mailbox will be at risk. Once the mailbox permission is lost, the 2FA verification code may be stolen, which will bring huge risks. Please pay attention to the relevant risks.
Crypto owners should therefore think twice before activating the new feature or sticking with the old back-up solution.
At press time, the crypto market remained in its deep correction. Bitcoin traded at $27,431.