Menu
English

Open Circle AG – Zurich
Freilagerstrasse 32
8047 Zürich

Open Circle AG – Bern
Lagerhausweg 30
3018 Bern

English
Back
Back
Back
Blog

Google’s two-factor authentication: how secure is it and what alternatives are there?

Person sitzt am Notebook und gibt zweiten Faktor über Smartphone ein

Two-factor authentication (2FA) is a common protection mechanism for many companies to make unauthorised access more difficult. Especially in industries with sensitive data  such as financial services, property, construction, technology or healthcare – 2FA has long been standard. However, not every 2FA solution is equally secure – on the contrary: functions such as Google Authenticator’s cloud synchronisation can entail unexpected risks. In this article, you will learn about the weaknesses of the systems, how to use them correctly in a modern corporate context and what alternatives you can use.

Table of content

The most important facts in brief

  • Not every two-factor authentication (2FA) is equally secure. Risks can arise, particularly with systems that work with synchronisation via a cloud.
  • Google’s Authenticator is criticised by many experts because it works without end-to-end encryption, which means that 2FA codes can be compromised when the account is accessed.
  • Companies with their own IT structures or sensitive data benefit from open source solutions with more data protection-friendly and controllable options.
  • Companies should define security guidelines, exclude private accounts and train employees.

Why two-factor authentication is essential

The security mechanism of two-factor authentication requires – in addition to a conventional password – a second method of identity verification. Company data or online accounts should thus be secured with an additional step to minimise the likelihood of unauthorised access.

Thanks to sophisticated hacking tools, it is now possible for simple passwords to be more easily compromised, i.e. revealed or found out. Various types of 2FA have been developed to circumvent this problem:

  • SMS codes: A key (combination of numbers or letters) is sent to the user’s smartphone via SMS.
  • Authentication apps: They generate new, individualised codes in the application; Google Authenticator is an example of this. Apps like these are less susceptible to phishing than traditional SMS codes. A message is sent when you log in.
  • Physical security keys (hardware tokens): A security key is a physical device used in combination with a personal PIN.
  • Biometric methods: Here, not only passwords are required for identification, but also a fingerprint or face scan.
Security token that is used for authentication

How does the TOTP process work?

With this method, time-based one-time passwords are created. The installed 2FA app and the website you want to log in to share a key – also known as a ‘secret’. Based on this key and the current time, the app generates a new login code every 30 seconds. To connect the app to the respective account, you usually have to scan a QR code on the website. 2FA with TOTP is correspondingly secure – but only if the keys are stored locally.

How does the Google Authenticator work?

Two-factor authentication with Google, in many cases via the in-house Google Authenticator app, is one way of preventing data misuse. If you have linked your Google account to your smartphone, the app will provide you with a six-digit code that you need to log into your (Google) applications.

The app initially makes it more difficult for attackers to access your accounts, as even if the password is known, the code from the app, which is only on your mobile phone, is required. In addition, Google’s application works offline and makes it reliable even without reception.

SMS code from Google

What is the disadvantage of the Google Authenticator app? Lack of encryption criticised

In April 2023, Google then introduced an innovation: it now allows you to save the Google Authenticator keys in your Google account so that you can use Google Authenticator to log into your account on two or more devices, even from different devices – if you lose your smartphone, for example, this can be useful for installing the authenticator directly on a new device.

However, experts warn of major security gaps, especially for people who have sensitive data, such as customer details.

This is because as soon as someone gains access to your Google account, they could possibly also come across your 2FA codes, as the data is transmitted in plain text and can therefore be viewed quickly, as Heise-Verlag found out in a self-test. To be more precise: although there is protected transmission thanks to TLS (Transport Layer Security), there is no end-to-end encryption (E2E), meaning that the data is visible to Google – or potential attackers.

Advantages of cloud synchronisation

However, the option of backing up authenticator data in the cloud also has an important advantage: if the smartphone is lost or replaced, the 2FA keys can be easily restored to a new device – whether on a laptop, tablet or smartphone. This increases user-friendliness and minimises downtime. In companies, synchronisation can also simplify administration via a central account – especially when setting up new devices or when employees change.

However, the prerequisite for this is that the backed-up data is reliably encrypted – ideally using end-to-end encryption where only you have access to the content.

Cloud synchronisation offers important security benefits

End-to-end encryption: an important security measure

Google’s Product Manager for Identity and Security Christiaan Brand himself stated in an X-Post that he wanted to set up E2E encryption. However, he remained firm: “At this time, we believe that our current product strikes the right balance for most users and offers significant advantages over offline use. However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves.”

The new feature has not yet been added.

Not just Google: other authenticator services are also struggling with data leaks

The password manager LastPass had to contend with product errors and company computers were attacked, resulting in data leaks. Twilio, operator of the authenticator app ‘Authy’, also announced in mid-2024 that sensitive data, including allegedly 33 million telephone numbers, had been leaked.

The company Retool described a similar case at the end of August 2023. Several employees received targeted text messages claiming that a member of the IT department would be contacting them about an account problem.

Time and again, sensitive data is leaked

The timing of the messages coincided with a recently announced login changeover. The URL included was designed to look deceptively similar to the company’s internal identity portal. Although the majority of the workforce did not respond to the message, one employee logged in via the link provided by the attackers – which made the phishing attack successful, even mimicking voices from the IT team using deepfakes. This was also made possible by the synchronisation of the employee’s Google account on several devices. Access to the account thus gave the attacker access to all his MFA codes.

Secure alternatives to Google Authenticator for companies?

Anyone who protects their sensitive access data with Google Authenticator gains security, but at the same time risks dependencies and potential vulnerabilities through cloud synchronisation. Especially if employees use private Google accounts or there are no overarching company guidelines. But which authenticator is the most secure? That depends on your preferences. Here are the best alternatives.

  • Password manager from Open Circle: The OPEN CIRCLE Password Manager not only offers the option of simply saving passwords, but also of storing the corresponding TOTP keys directly. This means that no second device is required for the login, the password manager alone is sufficient for the MFA.
  • FreeOTP: This free open source application (available in the Google Play Store and App Store) provides a ‘second layer of security for your online accounts’, as the developer RedHat describes it. According to tests, the app does not collect data for third parties, as is the case with other applications.

Recommendation for SMEs: Implement and secure 2FA correctly

In order to take the most secure route and protect company and customer data, you should consider using suitable security solutions from the outset. This includes not only suitable password managers, but also choosing the right authentication method. If you want to introduce two-factor authentication (2FA), you should consider the following aspects – they have a significant impact on the security and usability of the chosen method.

  • Analyse which systems are particularly worth protecting. Business-critical applications, sensitive data and central IT infrastructure are attractive targets for cyber attacks – this is precisely where additional protection through 2FA makes particular sense. It is therefore important to first identify all systems, platforms and devices used: Which applications are essential for day-to-day business operations? Are there any outdated systems that pose a security risk? Which hardware requires an update or regular backup? Only with a complete overview can a targeted decision be made as to where 2FA should be implemented – and how much effort is involved.
  • Seek advice from Open Circle, for example, to make your IT structures more secure and independent. Our IT experts will analyse your existing system landscape, identify potential weaknesses and show you how you can improve your IT security.

In addition, you should also observe internally which processes could be optimised:

  • Define central security guidelines and make it mandatory to specify which authentication methods should be used.
  • Ensure that employees do not use private accounts for work access and prevent the use of any apps for logging into company systems.
  • Consider scheduling training sessions to ensure that all employees can use 2FA securely.
It makes sense to analyse which systems are particularly worth protecting

Deactivate the backup function of the Google Authenticator app

If your company currently uses Google two-factor authentication, you should check whether the synchronisation of 2FA codes with Google accounts is active. To do this, deactivate the cloud backup function in the app settings and switch to local backup procedures.

Users who have already activated the backup function are recommended to deactivate it first. The two-factor seeds of all accounts managed via the Authenticator app should then be reset in order to restore the confidentiality of the login data.

Conclusion: More control, less risk with two-factor authentication

Two-factor authentication is an indispensable component of modern IT security – even for SMEs. However, not every solution protects in the same way. Cloud synchronisation in particular, as used by Google Authenticator for example, harbours risks. Rely on 2FA, but think carefully about how you implement it. Open source solutions such as the password manager from Open Circle or FreeOTP offer more control and security. At the same time: 2FA can only be used effectively and responsibly with clear guidelines, targeted training and regular monitoring.

Author

Pascal Mages

Chief Technology Officer

This might also interest you

16. July 2024 Lock screen: small effort, big effect! Learn how to lock and unlock your screen to protect your data from unauthorized access. To the article IT security & access, Workplace solutions
27. November 2023 RFID and NFC: how to use it and protect your data How invisible chips make our everyday lives easier – from contactless payment to smart logistics. To the article IT security & access, Workplace solutions
14. October 2023 Backup methods for your business Backup methods – Learn everything you need to know about backup strategies for companies. To the article IT security & access, Server & backup
Get advice