Security and Privacy Failures in Popular 2FA Apps

Explore a critical analysis of security and privacy vulnerabilities in popular Two-Factor Authentication (2FA) apps presented at USENIX Security '23. Delve into the research conducted by experts from UC Berkeley and ICSI on Time-based One-Time Password (TOTP) algorithms and their implementation in Android apps. Discover the challenges users face in maintaining access to TOTP secrets and the various backup mechanisms employed by popular apps. Learn about the systematic assessment methodology used to evaluate the security and privacy implications of these backup strategies. Uncover alarming findings, including the reliance on potentially insecure technologies, sharing of personal information with third parties, cryptographic flaws, and potential access to plaintext TOTP secrets by app developers. Gain insights into recommended improvements for enhancing the security and privacy of TOTP 2FA app backup mechanisms in this informative 15-minute conference talk.

USENIX Security '23 - Security and Privacy Failures in Popular 2FA Apps