1. Home
  2. Categories
  3. Side Bar WTF
  4. YAWIWMFA

YAWIWMFA

  • boomzilla
    ♿ (Parody)

    When MFA isn't actually MFA | Retool Blog | Cache

    When MFA isn't actually MFA | Retool Blog | Cache

    Retool is the fast way to build internal tools. Drag-and-drop our building blocks and connect them to your databases and APIs to build your own tools, instantly. Connects with Postgres, REST APIs, GraphQL, Firebase, Google Sheets, and more. Built by developers, for developers. Trusted by startups...

    tl;dr Google added a "sync to cloud" misfeature for their authenticator: "Getting access to this employee’s Google account therefore gave the attacker access to all their MFA codes."

    * Yet Another Wish It Was Multi-Factor Authentication

    20 izzion 1 Reply
  • izzion
    I survived the hour long Uno hand

    @boomzilla said in YAWIWMFA:

    When MFA isn't actually MFA | Retool Blog | Cache

    When MFA isn't actually MFA | Retool Blog | Cache

    Retool is the fast way to build internal tools. Drag-and-drop our building blocks and connect them to your databases and APIs to build your own tools, instantly. Connects with Postgres, REST APIs, GraphQL, Firebase, Google Sheets, and more. Built by developers, for developers. Trusted by startups...

    tl;dr Google added a "sync to cloud" misfeature for their authenticator: "Getting access to this employee’s Google account therefore gave the attacker access to all their MFA codes."

    * Yet Another Wish It Was Multi-Factor Authentication

    I never really thought of cloud MFA backup as an attack vector like that. From doing some cursory checking, I strongly suspect that Microsoft Authenticator would be subject to the same issue (though the requirement there is that it's associated with a personal plain old Microsoft account, so it's at least not directly tied to my work email). I suppose there has to be a balance somewhere between security and losing access to everything just because your cat pushed your phone into the toilet, but yeah this seems a little on the wrong side of the line.

    6 jinpa 1 Reply
  • jinpa

    @izzion I agree with your cat example, but, strictly speaking, AIUI (which may be wrong) MFA means that you "have" something in addition to knowing something.

    Maybe I should RTMFAA.

    So it looks like the employee really did require access to his phone, so it was MFA.

    (still reading)

    So it was MFA for the first employee, but then the attacker was able to disable true MFA for the other employees.

    2 izzion 1 Reply
  • izzion
    I survived the hour long Uno hand

    @jinpa
    From what I gathered (and from reading up on how Microsoft Authenticator's cloud backup works since I get paid to administrate systems that rely on that app), the underlying issue is that if you let your TOTP Authenticator app backup to cloud, anyone who gains the ability to restore that backup gets access to all of your TOTP codes without you really knowing about it.

    9
  • Tsaukpaetra
    Notification Spam Recipient

    I appreciate the ones that require a password unlock to unpack the codes for this reason. Even though I have copies of my vaults in various places, still need to know Standard Secure local static 2019 password to unlock it. 🐣

    1
Log in to reply