Many of us trust Google Authenticator to add a layer of security to our accounts. But, Google Authenticator has a serious security vulnerability which makes it unacceptable for CMMC compliance and dubious for general use.
By default, Google Authenticator syncs your one-time codes to your Google account in the Cloud. I do not use Google Authenticator. But, I installed it on my Android device to test this out. What I discovered is that Google Authenticator has an icon indicating that codes have been saved to the cloud. I clicked on the cloud icon in the app a couple of times and did not immediately see an intuitive way of turning off this feature.
While Cloud Backup offers convenience—allowing you to recover codes if you lose your device—it also introduces a significant security risk. If an attacker gains access to your Google account, they could use these synced codes to install Google Authenticator on their own devices and use your MFA credentials.
For CMMC, MFA authenticator codes are considered Security Protection Data (SPD). As such, if stored in the Cloud, the Cloud must meet FedRAMP Moderate requirements. The consumer version of Google Cloud does not meet these requirements. In addition, these codes are specially used to protect access to CUI. That means that transmitting them over a network to the Cloud requires FIPS 140-2 validated cryptography per SC.L2-3.13.11. The Google Authenticator app does not appear to employ FIPS 140-2 validated encryption.
For general users, Google Authenticator may be a reasonable choice if you turn off cloud synchronization. To do this, change the configuration settings in the Google Authenticator app to “Use without an account.” This will prevent your MFA keys from being uploaded to the Google Cloud.
0 Comments