2FA just got better

Our Two-Factor security tool got analysed by Berkeley, and is now 187% more secure.

Okay, that percentage is a random number, because we couldn’t figure out how to measure security and put it in numbers. But it’s a fair guess. This is what happened:

In 2019 we wrote about our Two-Factor Authentication app creatively called “Pixplicity Authenticator”. It is a free app that generates two-factor login codes, which helps keep your accounts secure. We created it because the standard Google app did not offer some very basic features like sharing and backups. Which they still don’t, today, in 2023!

Back in 2019 we had 5000 beta users testing the app. Today we have 100,000 active users, half a million downloads, and a solid 4.2 star rating based on over 1.000 reviews. And that attracted the eye of security experts…

Security audit

Our app hadn’t been updated in a long time. For all intents and purposes, it was simply finished. Even though I used it almost daily, it moved to the back of my mind. So quite unexpectedly, I received an email from Conor Gilsenan, PhD student at UC Berkeley, who was researching usable security and privacy as a member of the BLUES Lab. He was writing a paper and as part of the research, analysed the most popular 2FA apps. There were some findings, he said, and he wanted to give me the chance to reply before publishing them. Fair enough! These are some of the findings:

• While backups were encrypted, we made mistakes in the implementation. This resulted in no using the harder to crack method AES-ECB instead of AES-CBC.
• We did also not use a different salt for each backup, but instead used the same for each user.
• We offered sharing codes with others without notifying the users of the risk involved.
• We required a 10-character-or-longer password for encrypted backups, which they thought should be increased.

Furthermore, the research also recommended implementing a slower, harder to crack key generation method. More on that later.

I was not entirely surprised by this: the app was so old, and built by me, in my spare time, back when I barely knew what I was doing. Since then, I worked on many apps involving complicated cryptography, and simply never went back to check if this app was properly implemented. I implemented it to a level where it was simply ‘good enough’: 2FA codes are a secondary factor anyway, and if anyway gets hold of your backups, properly encrypted or not, you have a much bigger problem. However, as time goes by, simpler algorithms become easier to crack and harder algorithms become easier to implement. So it was time for an update!

Not only did Conor notify us of these findings, he also gave code examples of how to improve it, and offered to help. Naturally I was very pleased with this, thanked him, and received the reply that I was one of only few to do so. Apparently, some other 2FA-app creators were less than pleased that someone did a security analysis. While this was basically an audit, for free!

It is so rewarding to hear back from a developer who appreciates our research and aims to improve their app for users. Much thanks.

Improvements we’ve made

We fixed the mistakes in the encryption implementation. We also added a warning before sharing codes with others, and upped the minimum password length.

If you have made a backup with an old version of the app and want to feel extra secure, then we recommend making a new backup and deleting the old one.

We did not, however, upgrade to more advanced key generation method. Why not?

• Our app only stores the means to generate 2FA codes. It does not (and never will) store your passwords. This means the Authenticator app is only responsible for the second layer of defense, and not for the main layer.
• Our app does not store backups in a place that is reachable by anyone else. If you store your 2FA backup on Google Drive or Dropbox, and someone has gained access to the backup file, it means someone already hacked your Drive or Dropbox, and you have a much bigger problem!
• We do not offer cloud backups ourselves. This means that the 2FA backups are not stored on our side, at all. If anyone hacks us, they will not ever get access to your backups, because we don’t have them. In fact, our app doesn’t even have permission to access the internet!

After making the changes, we notified the Berkeley team of the update. To check if they would analyse the app again, we hid a small easter egg that was only visible in code. Just to say ‘hi’. Naturally, they found it:

we particularly enjoyed the easter egg you put in there saying hi to us through the unused variable in the code :)

Download the updated app from the stores here:

What we’ve learned

Conor published the paper with his findings, and with the things we fixed to improve according to his directions. We’ve learned that implementing encryption does not mean you shouldn’t go back and check it every once in a while. We learned that even the tech giants do a pretty bad job of securing their data, sometimes not even encrypting it at all. We also learned that our app was more popular that we anticipated, even though we never did any promotion whatsoever. And finally, we learned that a developer called Epic Apps Studio cloned our app, re-uploaded it with a new interface and riddled it with ads. We highly recommend steering clear of that one. The original Pix Authenticator does NOT have ads, never will have ads, and has a twice as high app rating.

Also, we can safely say that we improved our app security to great new levels thanks to a security audit performed by PhDs at Berkeley!

Security measures are useless if they are not used. Simplifying technology to bring it into the hands of everyone is exactly what we love to do, and what we excel at, here at Pix. If you’d like to see more cool stuff we built, visit pixplicity.com/work, or shoot a message to welcome@pixplicity.com.