Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.

TL;DR: Don't turn it on.

The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.

We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

Why is this bad?

Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵

#Privacy #Cybersecurity #InfoSec #2FA #Google #Security

✨ I have used nativefier, the "Make any web page a desktop application" utility for years. https://github.com/nativefier/nativefier

Recently, I have been getting a lot of small productivity gains from moving commonly used websites into their own apps. They do have a bit of RAM overhead, but I'm sitting on a 64GB MacBook Pro and YOLO but the ability to ⌘tab in between them is pure gold.

Privacy Is OK

Link: https://www.tbray.org/ongoing/When/202x/2022/12/29/Privacy-is-OK
Discussion: https://news.ycombinator.com/item?id=34177930

Next #opensource project: a Prisma middleware to handle password fields.

- Hash on write
- Verify (hash & compare) on queries
- Use bcrypt, scrypt or Argon2 (no insecure/unsalted SHA, or god forbid, MD5 😱)

I found that, despite the disclaimer, people use https://github.com/47ng/prisma-field-encryption to encrypt passwords, so there is a need for a better alternative.

Might be opening a can of worms here, hopefully @dchest's auth book will be of use to define good defaults. 👀