Why you should never use Google Authenticator again
There is not enough security. On the other hand, using buggy or weak security can give you a shaky illusion of security, while you remain vulnerable to all sorts of threats.
The use of only passwords, in general, is a bad idea, we have figured this out since the Internet. We are making progress, moving to a world without passwords, but at the same time, many websites offer additional protection for user accounts using Dual-Factor Authentication (2FA).
In general, there are 2 types of such authentication: Temporary one-time password (TOTP) and Universal Two-Factor (U2F). You may already be familiar with the first type, since it is used most often: during login, it is suggested to enter a one-time password generated by your application on the smartphone, a separate hardware device, or sent to the SMS. The method is simple, but there are a few simple ways that make it dangerous.
How does TOTP work?
A temporary one-time password, mostly popularized by Google Authenticator, confirms your identity on the basis of a common secret. This secret is to be known to you and your provider.
When you go to the web site under your account, your device generates a unique code based on the general secret and the current time. Then you need to manually enter this code. The server generates exactly the same piece, based on the same secret, to successfully compare and confirm the authorization request.
What is the inadequacy of TOTP?
The method is very simple to use, however, it is not without a few vulnerabilities and inconveniences.
1. You need to manually enter the code during authorization (login)
2. Too bulky backup. You need to take many steps to make a backup secret. In addition, good services usually provide backup codes, rather than explicitly calling for a secret. If you lose your secret and login along with the backup code, you will have to perform the entire process of registering TOTP again.
3. Backup codes are sent via the Internet, which is completely insecure.
4. You and the provider have the same secret. If the attacker hacks the company and gets access to both the password database and the database of secrets, he can penetrate into any account completely unnoticed.
5. The secret is shown in plain text or QR code. It can not be represented in the form of a hash. This also means that the secret is most likely stored as a text file on the provider’s servers.
6. The secret may be disclosed at the time of registration, because the provider needs to give you the generated secret. Using TOTP, you need to believe in the ability of providers to protect the privacy of the secret. But can you believe?
How does FIDO / U2F work?
The U2F standard, developed by the FIDO Alliance, was created by technology corporations, such as Google and Microsoft, under the influence of the vulnerabilities found in TOTP. U2F uses cryptography with public keys to confirm your identity (Reddit – “Explain that I’m five years old”). In contrast to TOTP, in this version, you are the only one who knows the secret (private key).
TREZOR – U2F
TREZOR is a small separate hardware solution designed to store private keys and work as an isolated computer environment. Initially designed as a safe “iron” wallet for Bitcoin, the scope of its application has been significantly expanded due to the extensibility of asymmetric cryptography. Now, TREZOR can serve as a secure iron token for U2F, you also have to confirm the login by pressing the button on the device.
Unlike some other tokens, TREZOR always uses a unique signature for each registered user account. Among other things, the device takes U2F to a whole new level:
1. Easy to backup and restore. TREZOR asks you to write a so-called “recovery seed” on the piece of paper, the first time the device is started. This is the only one-off process of all the rest on the device. The recovery seed is all secrets (private keys) generated by the device and can be used at any time to “restore” your hardware (or “iron”) purse.
2. Unlimited number of U2F personalities, all of them are saved within the framework of a single backup.
3. The secret is safely stored in the TREZOR. No one will ever know him, since he can not leave the device. They will not be able to steal any viruses or hackers.
4. Protection against phishing with confirmation on the screen. The wallet always displays the url of the website on which you log in, as well as what exactly you want to authorize. You can verify that the information sent to the device meets your expectations.
5. Additional information on using U2F during configuration, use and recovery of TREZOR can be found in our blog post, or in the User Documentation.