If you use Google 2fa authentication app you probably should turn OFF the sync to cloud option
Retool blames breach on Google Authenticator MFA cloud sync feature
Software company Retool says the accounts of 27 cloud customers were compromised following a targeted and multi-stage social engineering attack.
begs the question though
why is a company using google authenticator app in the first place for employees
sidenote: google should add the feature "verify device" then when a new device adds google authenticator app the device the app was 1st installed on gets an alert to verify or not
if you wanna ditch google authenticator app
try Aegis
open source app
https://github.com/beemdevelopment/Aegis
/nosanitize
https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis
sidenote:
you should enable google prompt
When you sign in to your Google Account via a new device you get a full screen alert notification on your main device(smartphone), you can tap that notification on your phone to confirm it's you or deny which will stop the sign in attempt - Google prompts give you info about the device, location, and time of the sign-in attempt.
enable it via your google account security 2fa
having google prompts enabled still allows you to to use 2fa app
@ecksmc so FIDO: what devices are en vogue? Titan/yubikey/nitro/?
@b4cks4w i don't use any of them
have read about them though YubiKey seems to be popular and would probably be the one i got/get if/when i switch
@ecksmc
I use Aegis and recommend it also.
For iOS users, I like RavioOTP.
@voltronic @ecksmc
FWIW Aegis is on Fdroid as well
Aegis Authenticator (Free, secure and open source 2FA app to manage tokens for your online services)
https://f-droid.org/packages/com.beemdevelopment.aegis/
yeah it was you i got the heads-up from :)
@ecksmc same reason they’d use Google docs/sheets instead of M365, I imagine - perceived cost savings. Gonna hafta read more on what happened though, since I don’t use Google Authenticator.
I do know from recently doing my annual refresh/clean install that if you have MFA enabled and log into your Google account from an unrecognized machine that it immediately alerts you on that account and any other you had listed in the security/recovery settings.
@Synical idk about the app
I use google prompt alert - Google prompts are notifications sent to your phone to confirm your identity you can then allow or deny the sign in from a new device
@ecksmc Great info... i just made that adjustment to safeguard. Thx for sharing!
@ecksmc crikes, had no idea that setting existed, lurking NOT IN SETTINGS. Thanks.
Edited:autocarrot
@ecksmc I still really like the Yubico Authenticator app so that my MFA secrets are *only* stored on a pair of hardware tokens (one of which stays locked in a fire safe). Makes it easy to switch between devices without relying on "someone else's computer" to sync the sensitive data.
if anyone gets access to your google account they can then instal the google 2fa app that will enable them to then get all your 2fa codes and see what accounts you have then start hacking your other accounts
switching cloud sync off means they can't as the 2fa codes are only on your device