I was one of the people who thought that enabling 2-factor in Apple would have p

Question

I was one of the people who thought that enabling 2-factor in Apple would have prevented the download of images from iCloud; it was recently pointed out to me that, in fact, I was gravely mistaken. Apple's 2-factor only works in a subset of their services and therefore their 2-factor lends a false sense of security (at this point; they may extend the services their 2-factor protects at some point.)

I had thought the implementation was similar to Google's 2-factor. Are there ways that Google's 2-factor implementation is similarly bypassed, where there are services or circumstances I would not be alerted if my account were accessed by a machine or device not in my control?

Explanation / Answer

Here's some scenarios where Google's 2FA implementation might be compromised:

- App specific passwords do not require 2FA even if 2FA is enabled on the account. Therefore a malicious App which has been provided an App specific password can perform actions without your knowledge.

- On Android the Authenticator App does not contain an internal QR code reader, instead it creates an implicit Intent and allows any App with an appropriate Intent filter to receive the intent. This App could be malicious or act as a MITM to a legitimate QR code reader.

- 2FA is not entirely immune to phishing. If an attacker can convince you to enter both your password and a valid 2FA pin then they can potentially log in then create an App specific password to use as a back door.

- There is an option to receive 2FA codes via phone call. The phone call can potentially go to voicemail which is notoriously insecure.

- An attacker can also use SMS and it's relatively sneaky to slip permissions to access SMS past users on Android in particular.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.