Is Google Authenticator Safe?
I’ve been using the Google Authenticator app for a long time now. I’ve added an OTP Token for virtually every service possible to try to bolster the security of my online identities.
But how much can I trust that the application isn’t sharing my keys with a server? How do I know some US Federal Agency doesn’t have a copy of my tokens, or at least court-obtainable access to them?
I’m going to avoid conjecture on this topic, as people love to get passionate about whether or not something is compromised. Especially after the Snowden Revelations.
Instead, I’ll try to list what facts I can find. I’m also looking at this from an iOS perspective, as that’s what my platform my phone is.
Fact 1: Google Authenticator is not Open Source
Google has published the Source for the Authenticator App, but looking at the iOS source it hasn’t been updated in 4 years, aside from one small change at the end of last year.
Looking at the Apple Store page for the app, the last update was for iOS 8 Support last month. So we can be certain that they’re not building off the Github repository, as there’s no mention of that in the December 2014 commit.
Fact 2: We can’t be certain the App was compiled using the same Source Code
This problem exists with most applications. We don’t have any way of knowing that the source code is actually what is compiled and submitted to the App Store. Apple isn’t transparent about the content of the Apps in the store, so even if the Github repository was up to date we wouldn’t have a method of verification. It would be nice if they posted a Hash of the app or something that we could check against the submitted files.
We don’t even know if Apple is modifying the application either on their end. Again, this lack of transparency is frustrating.
Fact 3: Google Authenticator follows HOTP and TOTP Standards
HOTP and TOTP are the two standards that the Google Authenticator app uses.
This is a good thing. A standards-based approach is excellent for everyone.
Ultimately, OTP has flaws, but they’re still better than having just single factor authentication.
Fact 4: You can’t revoke your Google Authenticator App
You can only revoke the tokens individually through the service that generated them. So it’s best to keep a list of the sites that you have tokens generated for somewhere safe, in case you lose your phone. You will need to make sure you revoke them pretty quickly after losing your phone as well.
So what does this mean?
Ultimately, we have to place a considerable amount of trust in Google by using the Authenticator App. A quick google search for alternatives will find FreeOTP made by Red Hat. This app is a little more trustworthy than Google Authenticator as it appears to be truly open source, but it still holds the other issues around not knowing if the compiled one is the same as the source and that we can’t revoke the codes remotely.
In the end, I’d love to be able to use some form of PKI Credential as my second factor (I’m a little biased towards them, seeing as my job revolves around them) but for now OTP is better than nothing at all. Perfect protection of our accounts is impossible, but we want to make it as hard as possible for the attackers so they just don’t bother.