For two-and-a-half years, Google hasn’t touched their 2FA app’s code. Perhaps it is perfect? Perhaps there are no more UI improvements or security enhancements that can be done? Or, more likely, it joins a long graveyard of Android apps – launched optimistically and then abandoned.
.@Xero Thoughts please, as I think the only 2FA offered is Google Authenticator for your service? Should customers be concerned? What do you suggest to ensure customer and account security until this is fixed? https://t.co/pArKEr9z7E
— Kathryn Corrick (@kcorrick) February 27, 2020
Security researchers say that an Android malware strain can now extract and steal one-time passcodes (OTP) generated through Google Authenticator , a mobile app that’s used as a two-factor authentication (2FA) layer for many online accounts.
Google launched the Authenticator mobile app in 2010. The app works by generating six to eight-digits-long unique codes that users must enter in login forms while trying to access online accounts.
Google launched Authenticator as an alternative to SMS-based one-time passcodes. Because Google Authenticator codes are generated on a user’s smartphone and never travel through insecure mobile networks, online accounts who use Authenticator codes as 2FA layers are considered more secure than those protected by SMS-based codes.
This is real bad, is hard to trust any Google product long tern.