Google Auth Threatens Crypto Safety

Blockchain security firm SlowMist believes the new update increases the risk of 2FA verification code theft.

colorful wallet closed with a lock
Crypto users can lose the 2FA codes more easily with updated Google Authentication

On April 24, Google announced a significant update to its Authenticator, which will be available for both Android and iOS. The update was aimed as a solution to a common problem faced by smartphone users who had lost their devices. Since the storage of unique codes was only available on a single device, its loss made it impossible to use any services with two-factor authentication (2FA) activated with Google Authenticator.

Read also: Critical vulnerabilities put $25 billion worth of crypto at risk across more than 280 blockchains

The new authenticator offers features to secure one-time codes. The team behind the update believes that this solution to the existing problem will better protect users from the inability to access services.

While storing one-time codes is no longer device-dependent and allows users to sync passwords across all their Google devices and accounts, some blockchain security experts are concerned about the implications of this update for crypto users. For example, Web3 cybersecurity firm SlowMist posted a security alert on Twitter warning crypto users that their mailboxes are at risk if they use such a backup method. "Once the mailbox permission is lost, the 2FA verification code may be stolen, which will bring huge risks," SlowMist explained.

The Twitter community has mixed feelings about Google's update. Some of them consider the sync a lifesaver, while others are convinced that Google Authenticator is not end-to-end encrypted, so anyone capable of monitoring traffic packets can generate codes.

Read also: California launches Crypto Scam Tracker to combat frauds

Today, SlowMist also published a report on its "Investigation and Analysis of Third-Party Sources of Fake Web3 Wallets" to inform crypto users of the potential dangers associated with using third-party app markets like Apkure or Apcombo that "claim to offer applications sourced mainly from other legitimate app stores."

"Due to certain phones lacking Google Play support or network issues, numerous individuals prefer to download Google Play apps from sources other than the official platform," which SlowMist's team believes to be rather risky. It specifically investigated versions of popular wallets on these websites and found out their versions are verified as non-existent by the developers of the authentic wallets. For instance, SlowMist mentioned imToken 2.11.3, which is available on Apkcombo as version 24.9.22.

SlowMist also recommended crypto users avoid the Uptodown website, where "anyone can publish apps with minimal cost, therefore making phishing attacks more accessible."