First Google Authenticator Update In Years Allows Users To Move Accounts Between Devices

Google Authenticator - Google Pixel phone 800x800

Google Authenticator is a software-based authenticator that implements two-step verification services for authenticating users of software applications.

With an update, Google introduces the version 5 of its Authenticator app on Android, packing the very first major improvements in three years:

First, Google has adapted the app's interface for larger screens with more modern aspect ratios, adjustable dark mode, and introducing a redesign of the user-interface in accordance to Google Material 2 standards.

And second, Google is also giving the app one of its most-wanted features: a way for users to easily transfer their account from one device to another.

With the update, users of Authenticator can do exactly that without having to manually transfer each code or disable and re-enable two-factor authentication (2FA) on each account. The update introduces this feature through an import/export tool that allows users to choose which accounts to include and transfer using a single QR code scan.

This is a feature that competitor Authy has provided for quite some time, so it’s refreshing to see it come to Authenticator, even if Google is already years late.

In a blog post on May 7, 2020, Google said that:

"Today is World Password Day, and we found it fitting to release an update that'll make it even easier for users to manage Google Authenticator 2-Step Verification (2SV) codes across multiple devices."

"We are introducing one of the most anticipated features - allowing users to transfer their 2SV secrets, the data used to generate 2SV codes across devices that have Google Authenticator installed. For instance, when upgrading from an old phone to a new phone. This feature has started rolling out and is available in the latest version (5.10) of Google Authenticator on Android."

Google Authenticator exists because Google knows that knowledge of username and password is weak to protect accounts.

Auhenticator introduces 2SV, 2-Factor Authentication (2FA) or Multi-Factor Authentication (MFA), as a critical way to protecting accounts from unauthorized access. With the mechanisms, users need to verify their identity through their password and an additional proof of identity.

By having multiple methods of authentication, users can benefit from a better security.

Google Authenticator

To use Authenticator, the app must first be installed on users' smartphone.

After that, users must set up the login for each website they want to use. To do this, the site should provide a shared secret key to the user using a secure channel, to then be stored in the Authenticator app. This secret key will then be used for all future logins to that site.

"Google Authenticator makes it easy to use 2SV on accounts. In addition to supplying only a password when logging in, a user also enters a code generated by the Google Authenticator app on their phone," said Google.

If compared to the more traditional passcodes via text messages, authenticating via Authenticator apps are regarded as a safer and more secure alternatives.

However, users must first place their trust in the apps to keep their accounts safe.

Because of this, Google said that it has made several explicit design decisions to minimize the attack surface while increasing the overall usability of the app.

"We ensured that no data is sent to Google’s servers during the transfer -- communication is directly between your two devices. Your 2SV secrets can’t be accessed without having physical access to your phone and the ability to unlock it.
We implemented a variety of alerting mechanisms and in-app logs to make sure users are aware when the transfer function has been used."

But in the meantime, Google Authenticator is still using default parameters that are weaker than the suggestions in RFC 6238.

Such defaults can be reasonably exploited, as demonstrated in Hashcat's TOTP cracking engine. For this reason, users of Google Authenticator should take care with the secrets being used.

Published: 
08/05/2020