Back to Blog

Security Notice: Google Voice for 2FA

badge-conscious-share

This is a quick alert. Over the past few months we’ve seen a large amount of accounts being compromised on several of our clients sites. All of them had Two-Factor Authentication. How were they hacked then?

Simple. First the attacker compromises the user e-mail. The email is compromised mostly via phishing or by stealing the cookie using a malicious browser extension. Because Google uses the same cookie/account for all of their products the attacker can also access voice.google.com. Here, the attacker can see any SMS messages sent to you in real-time. This means that the attacker can now easily reset your password on any website since he has access to your e-mail and then use voice.google.com to retrieve the Two-Factor Authentication code.

So please, if you are using Google Voice as your Two-Factor Authentication number, don’t! And if you know someone who does, please explain this to him or her.

About the author Simon Thorpe

Simon works in the product group at Authy and has over 15 years of experience in the security and identity management space. Working at companies like Oracle, Microsoft and Okta, he has spent a lot of time understanding and architecting solutions to secure all sorts of information. At Authy he works closely with the whole team to deliver a world class solution for developers to build security into their applications.

We can text you a link to get started:

Close