Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
What's the story with these ads on Slashdot? Check out our new blog post to find out. ×
Google Security Technology

Bypassing Google's Two-Factor Authentication 49

An anonymous reader writes "The team at Duo Security figured out how to bypass Google's two-factor authentication, abusing Google's application-specific passwords. Curiously, this means that application-specific passwords are actually more powerful than users' regular passwords, as they can be used to disable the second factor entirely to gain control of an account. Duo [publicly released this exploit Monday] after Google fixed this last week — seven months after initially replying that this was expected behavior!"
This discussion has been archived. No new comments can be posted.

Bypassing Google's Two-Factor Authentication

Comments Filter:
  • by icebike (68054) on Tuesday February 26, 2013 @03:29PM (#43017285)

    From TFA:

    This is no longer the case as of February 21st, when Google engineers pushed a fix to close this loophole. As far as we can tell, Google is now maintaining some per-session state to identify how you authenticated — did you log in using a MergeSession URL, or the normal username, password, 2-step verification flow? The account-settings portal will only allow you to access security-sensitive settings after username/password/2-step-verification prompt that you can’t skip.

    So, yes, you are correct, that is how it used to work, but not any more.

    Still these ASPs are not in fact "Application" specific. They probably should be, but that would be pretty convoluted and people would throw up their hands and walk away. (I read somewhere that something like 80% of the people that try 2-Factor give up when they see all the hoops that need jumping.

Related Links Top of the: day, week, month.

As long as we're going to reinvent the wheel again, we might as well try making it round this time. - Mike Dennison