Researchers find weakness in Google's two-step verification

Tools

Researchers from Duo Security have found a weakness in Google's two-step verification system that could allow a hacker to take over an account with nothing more than an application-specific password. Two-step verification is Google's implementation of two-factor authentication that greatly enhances security for users of Gmail and Google Apps by requiring a one-time code to be sent via text message or generated using a smartphone app.

To accommodate applications such as desktop email clients and chat programs that may not support two-step verification, Google (NASDAQ: GOOG) introduced ASP, or application-specific passwords. This is a lengthy string of randomly generated tokens that allows apps without the need for a second authentication factor, and which are individually generated and revoked.

The problem though is that application-specific passwords aren't actually specific, and can essentially be used to circumvent two-step verification in a variety of Google services.This was highlighted by Google engineers in a recent publication. "[A]n ASP can be used to log into almost any of Google's web properties and access privileged account interfaces, in a way that bypasses 2-step verification!" wrote the researchers from Duo Security in a blog entry.

The researchers found a bug in the auto-login mechanism implemented in the latest version of Chrome for Android that made it possible to utilize ASP to access a Google account's two-step verification settings. As reported by Computerworld, a hacker with an ASP can "change the mobile phone number and recovery email address associated with that account or even disable two-step verification altogether."

The flaw has since been fixed, though the weakness with ASP remains. Researchers have suggested that it would be better for Google to implement a mechanism to manage each ASP separately.

For more:
- check out this article at Computerworld

Related Articles:
Google unveils two-factor authentication for users
Google: We've slashed account hijackings by 99.7 percent