Back to Blog

Security Notice: Google Voice for 2FA

badge-conscious-share

This is a quick alert. Over the past few months we’ve seen a large amount of accounts being compromised on several of our clients sites. All of them had Two-Factor Authentication. How were they hacked then?

Simple. First the attacker compromises the user e-mail. The email is compromised mostly via phishing or by stealing the cookie using a malicious browser extension. Because Google uses the same cookie/account for all of their products the attacker can also access voice.google.com. Here, the attacker can see any SMS messages sent to you in real-time. This means that the attacker can now easily reset your password on any website since he has access to your e-mail and then use voice.google.com to retrieve the Two-Factor Authentication code.

So please, if you are using Google Voice as your Two-Factor Authentication number, don’t! And if you know someone who does, please explain this to him or her.

About the author Authy

Authy is simple & secure two-factor authentication, available as a free mobile or desktop app, from Twilio. To get yours, click on the download button at the top of the page.

We can text you a link to get started:

Close