Is Google Authenticator’s New OTP Cloud Backup Feature Safe?

We all know Google Authenticator. It’s an app-based MFA that uses ‘’time-based one-time passwords’ (TOTP), or OTP for short. When a user is ready to authenticate a login, Google Authenticator will provide the user with a six-digit code to prove who they are.

The Authenticator app is about 13 years old now and users have been desperate for Google to add a backup and sync feature, which has been at the top of the wish list for some time now, according to many commentators. Google joins a list of other MFA providers in adding this feature.

In this article, we discuss the challenges, threats and pit falls of Google’s backup and sync strategy and why it comes with bigger problems.

What is an OTP Code?

First off, let’s talk about OTP. It’s the six-digit code generated on app or a hardware device which is used as an extra step in some multifactor authentication processes. An OTP code is like a password in its application, but unlike passwords, OTP’s can only be used once (usually valid for about 30seconds) before they permanently expire. The idea is that hackers cannot steal them and use them later.

OTP codes as an additional factor are slightly more secure than a single method of authentication such as a password used in isolation, and it cannot be ‘replayed’.

When OTP is used in combination with a memorised password, it certainly does make it more difficult for hackers. They cannot access their victim's account with just one element, i.e., the password. They still need to get the OTP. Like anything, it slows the bad guys down, but do OTP codes prevent all password-based attacks? Well, the short answer is definitely no.

What about phishing?

We can’t discuss Google’s new back up and sync feature without talking about phishing. It’s true to say that a password plus an OTP is an effective way to prevent brute force attacks – but it doesn't stop phishing.

With phishing, the attacker steals both the password and the OTP and can then use them immediately to access its victim's account. This is called an ‘on-the-fly phishing’ attack. In this scenario OTP’s cannot protect users.

Adversary in The Middle (AiTM)

If Adversary in The Middle is not on your radar, maybe it should be. This attack is strangely both a much more sophisticated phishing attack, and yet at the same time, an attack that can now be carried out very quickly and easily with open-source phishing kits – phishing as a service is here. This makes AiTM more accessible than ever to cybercriminals without much skill or budget required to successfully execute. AiTM is also the attack that some in the industry are claiming can bypass MFA. This is not entirely true, or at least it’s not the full story. AiTM does however, make it possible to bypass the protection provided by OTP, as well as QR and/or Push, which are all 1^st generation technologies. All the attacker needs to do in AiTM is steal the session cookies to access its victim's account. But not all MFA is made equal, as we will explain.

Google’s Cloud Backup and Sync

Google introducing cloud backup and sync for Google Authenticator will of course help people to regain access to their account in case they lose the phone where Authenticator is installed, but it comes with bigger problems. Google says:

“One major piece of feedback we’ve heard from users over the years was the complexity in dealing with lost or stolen devices that had Google Authenticator installed. Since one-time codes in Authenticator were only stored on a single device, a loss of that device meant that users lost their ability to sign-in to any service on which they’d set up 2FA using Authenticator.”

Account Takeover

Because OTP secrets for various accounts are now going to be stored in the cloud, all an attacker needs to do is simply steal the user's Google account password to restore all the OTP secrets on their device. With the secrets, the attacker can now generate as many OTPs as is required for each of the user accounts in order to compromise them. The attacker can also, reset the OTP secret to take over the accounts completely.

And what if users don’t think or remember to have a different authentication method for their Google account? They might lose access to everything anyway, even without a full account take-over.

In Conclusion

With or without backup, both passwords and OTPs can be phished. OTPs can be completely 100% bypassed with AiTM. Any MFA is better than no MFA, but the ultimate goal should be phish-proof MFA - an MFA that is unphishable is where credentials cannot be stolen and where the authentication process cannot be bypassed.