I was just reading around and found it really fascinating that Authy can use Google Authenticator implementations anywhere.
How does Authy does this? Isn't this a security risk?
Asked
Active
Viewed 1,322 times
2 Answers
1
The use of apps other than Google Authenticator is not, by itself, a security risk, provided you trust those apps.
The purpose of 2FA is to prove that you have some physical object (in this case, your phone), in addition to knowing something (the password). This makes it more difficult for an attacker to compromise your account, because they are less likely to simultaneously know your password and have your phone.
The TOTP protocol used by Google Authenticator basically works like this (for full details, see RFC #6238):
- You scan a QR code which contains some secret. The site provides this secret to you, and also stores it server-side (preferably encrypted, in an HSM, or in some other "reasonably safe" storage; RFC #4226 has some interesting discussion of the difficulties here).
- When you need a new one-time-password (OTP), you perform some cryptographic operation (an HMAC) based on the secret and the current time.
- That cryptographic operation produces a value which can be converted into an OTP. You provide that OTP to the website, which generates an OTP by the same process.
- If your provided OTP matches the OTP which the website generates (or the OTP it would have generated a few time steps into the future or past, to allow for clock skew), then it is accepted. Otherwise, it is rejected.
This is an open standard, and by design, anyone can implement either half of it (client or server). However, a malicious client implementation could hand the secrets over to an attacker, who could then impersonate you for 2FA purposes, so you should only use client apps which you trust.
All that being said, I have some pretty strong reservations about Authy in particular. When I last investigated it, it stored the secret from step (1) in the cloud by default. This is intended to be for convenience, so that if you lose or replace your phone, you won't have to reconfigure TOTP on all of your accounts.
But it also means that you are defeating the core purpose of 2FA: You are no longer proving that you both have something and know something. Instead, you are proving that you know something (your password), and have authenticated with someone else (Authy's cloud storage). This is a weaker security model because it makes Authy a point of failure for all of the other sites.
0
The Google Authenticator format is a standard format known as TOTP or HOTP (depending on whether it is a time based or HMAC based implementation). The QR code is just an encoded URI that contains everything needed for an application to set up the counter with the starting secret. For example: otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example is what the QR code actually contains, which has the username, as well as the secret key used.
https://github.com/google/google-authenticator/wiki/Key-Uri-Format
plttn
- 101
- 2