Google Doesn’t Even Use Google Authenticator

Would you buy a Tesla if you saw Elon Musk driving around Los Angeles in a Lexus? Perhaps a Pepsi if Indra Nooyi was sipping on a Diet Coke in a Manhattan cafe? We didn’t think so.

According to Krebs on Security, a popular security blogger, Google isn’t using their Google Authenticator product:

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of one-time codes [from Google Authenticator].
The most common forms of 2FA require the user to supplement a password with a one-time code sent to their mobile device via text message or an app. Indeed, prior to 2017 Google employees also relied on one-time codes generated by a mobile app — Google Authenticator.
In general, using SMS and automated phone calls to receive a one-time token is less secure than relying on a software token app like Google Authenticator or Authy. That’s because thieves can intercept that one-time code by tricking your mobile provider into either swapping your mobile device’s SIM card or “porting” your mobile number to a different device.

Physical security keys are similar to RSA hardware tokens, which have been used by banks for years. The problem? Anyone who physically gets the keys or tokens has the codes! With the Hydro app, a hacker not only needs to get the user’s phone, but they need to hack into it. Remember, the FBI needed months to hack into the San Bernardino terrorists’ phones.

To learn more about the ways blockchain and cryptography have improved 2FA with the integration of Hydro Raindrop into the Hydro App, we put together a quick video!

If a company won’t even stand behind the product they created why should you?