Google's two-factor authentication system has been heralded as a great way to add additional security to an account, but an oversight, recently closed by the web giant, had enabled attackers to reduced the factor back to one.
Google's two-factor system requires users to enter an additional factor — a numerical token — sent to or generated on their smartphone, in order to increase the security of their account from more than just a single password. However, as the system only works with applications that use Time-based One-time Password Algorithm (TOTP), the system uses application-specific passwords (ASP) as an additional factor.
Examples include using third-party applications to log into Google properties, such as a video upload app needing Google credentials to log into YouTube. When users wish to log in using a service unsupported by Google's system, they manually generate an ASP and input that, which in turn, generates a token to authenticate a service.
Two-factor authentication company Duo Security points out that these ASP tokens work in a similar fashion to OAuth tokens. It is OAuth tokens that allow linked accounts to log into other services without providing a password. Examples include using Facebook Connect to sign into other sites.
The main difference, however, is that while OAuth tokens are truly application specific — tokens generated to link Facebook accounts to a service cannot be used to link a Twitter account — ASP tokens are not, despite their name. The user decides on a description for the ASP, but it can be used for any application.
Normally, this isn't a significant issue as the presence of the ASP means that users must enter a second factor of authentication before they can log in. However, Duo Security, riding on the back of existing work undertaken by security researcher Nikolay Elenkov, discovered that it was possible to generate ASP tokens, or worse, trick Google into allowing the user to log in with nothing more than the account name and ASP.
This also allows an attacker to access Google's accounts page without further authentication challenges, opening the door to the modification of the account's recovery email address to issue a password reset, as well as disabling two-factor authentication.
This oversight has now been patched by Google, however Duo Security or Elenkov both offer some caveats as to how dangerous the hole is. Elenkov notes that the methods used to compromise the account had been officially deprecated by Google as of April last year. Google's deprecation policy states that it will maintain the API for the old ClientLogin system until April 20, 2015, but it also contains a clause that it may choose to discontinue it before then if "doing so could create a security risk or substantial economic or material technical burden".
Additionally, attackers must have gained access to one of the user's ASPs, which are currently 16 case-insensitive characters in length and randomly generated. Duo Security argues that passwords are generally broken via phishing schemes or the poor selection of passwords, and that "Google's two-step verification system should mitigate both of these types of attacks, even if users continue to do 'stupid' things".
"We're still confident that — even before rolling out their fix — enabling Google's two-step verification was unequivocally better than not doing so."