This blog has moved to Medium

Subscribe via email


How not to use Google Authenticator

Followup to yesterday’s post on how someone hacked my gmail account:

If you choose to add Google Authenticator instead of SMS messages as a two-factor authentication scheme, be aware of the following:

 

There is a good chance you will add Authenticator as a “primary” authentication scheme, but SMS messages will remain as an alternative option.
This means that an attacker could always bypass Authenticator and just use SMS, which is weak with Pushbullet/any sync-SMS-to-desktop scheme.
If you sync your SMS messages to your phone, you have to make sure to remove SMS messages as an alternative authentication method, not just add Authenticator.

Thanks Eyal Brosh for alerting me to this fact.

 

One Comment

  1. A Quantum Immortal » Did someone just hack my gmail?:

    […] The Fractional Fractal How not to use Google Authenticator […]