Google’s introduction of a synchronization feature to its Authenticator app earlier this year has raised concerns among information security professionals who believe it could pose additional risks for organizations. The update, which allows users to sync multifactor authentication (MFA) codes to the cloud, was intended to enhance the user experience of the two-factor authentication process. However, experts claim that the feature can be bypassed and manipulated, as demonstrated by a recent social engineering attack on developer platform Retool.
The breach, which occurred in late August, involved several stages, including vishing (voice phishing) calls and spear-phishing tactics. The threat actor sent a malicious link to Retool employees, disguising it as the company’s internal identity portal. An employee clicked on the link and filled out an MFA code form, after which the threat actor called and posed as an IT staff member, successfully convincing the employee to provide an additional MFA code over the phone. This code was part of Okta’s authentication platform, which uses one-time passwords (OTP). The attacker gained access to the employee’s Okta account, subsequently compromising their Google account and leading to further access to Retool’s corporate VPN and administrator systems.
Retool placed the blame on Google’s synchronization update, arguing that the feature allowed the attacker to access all MFA codes held within the employee’s Google account, thereby providing them with unauthorized access to the company’s internal systems. However, some experts believe that Retool’s blame is misplaced. They argue that Google was simply following the example set by other companies, such as Duo Security, which also allow users to add their own devices for MFA. They emphasize the importance of using WebAuthn, an authentication standard that provides stronger security measures against phishing attacks.
While there are inherent risks associated with MFA, particularly when using SMS codes, experts argue that the Retool breach was not solely caused by Google Authenticator’s synchronization feature. They stress that catastrophic events often result from a sequence of small issues rather than one major vulnerability. They cite the MGM Resorts International and Caesars Entertainment attacks as examples. Both attacks targeted the identity and access management vendor Okta and involved social engineering tactics.
Despite the concerns raised, many experts recommend using an MFA app like Google Authenticator, as it cannot be socially engineered directly. However, they acknowledge that there are risks associated with using such apps, particularly if the user’s phone is compromised or if the device is not fully updated. Additionally, Google Authenticator’s lack of end-to-end encryption also poses potential risks.
In response to Retool’s claims, Google has promoted the use of passkeys, which are phishing-resistant. The company argues that legacy authentication technologies like OTP are vulnerable to phishing and social engineering attacks, and it is actively working with industry partners to develop more secure authentication offerings. Major vendors, including Okta, have recently introduced passkey support, but widespread adoption will take time.
In conclusion, while Google’s synchronization feature may introduce additional risks for organizations, it is important to recognize that the Retool breach was the result of a combination of vulnerabilities and social engineering tactics. The incident highlights the need for organizations to implement secure-by-design practices and consider stronger authentication methods, such as passkeys, to mitigate the risk of social engineering attacks.