[buran77]

> This is 100% false

That's a bit harsh, the actual disabling does not require a 2FA token so that part at least is true. And this is not the behavior I was expecting. On many other services I use disabling the 2FA requires 2FA confirmation and sometimes just visiting the security settings for the account requires the 2FA (if enabled). So maybe it's just "50% false"...

[m00x]

There's nothing harsh about it. It's factual.

It does require 2FA, which makes the statement in the headline false.

It doesn't require 2FA reauthentication, which means you already passed 2FA.

You could say: "You don't need a password to log in to anyone's gmail account", while meaning that you just need to have access to their unlocked device while they're logged in.

[ehsankia]

Eh, it still comes down to how you interpret the sentence, which is non-obvious.

In your mind, "2FA" means "2FA authentication session", but in most people's mind, "2FA" means a "2FA code". And it is true that you don't need a new 2FA code. So depending on the interpretation you take, it's either 0% true or 100% true.

[azinman2]

There’s a difference between logging into Google via 2FA and having subsequent interactions not require the 2nd factor, and turning off 2FA without a reconfirmation. You don’t want maximum usability in disabling your security mechanisms.

[UncleMeat]

What threat model concerns you here? Anybody who'd be able to disable 2FA already has access to my logged in Google session on a trusted device. The game is over.

[zaroth]

Right. Instead of debating the headline, this is the real question. The current behavior is that "someone on a 2FA authenticated session can disable 2FA". OK, so what?

Google is intentionally leaving this route open to lessen the impact of a lost authenticator. Probably this is a very significant cost savings for them -- although I don't know what their account recovery policy is for "lost" 2FA.

I'd say one risk factor here is that if someone is able to piggyback your session (e.g. CSRF) specifically into the 2FA Settings API, they may be able to get your 2FA disabled in a way that meaningfully exposes your account to a wider attack.

Another risk is similar to why you should require a password to be re-entered in order to change a password. The user is already in an authenticated session, and yet, it's still considered best practice to prompt for the existing password at the same time. This can't merely be as a second layer of CSRF protection, right? If your CSRF is broken, fix your CSRF.

I would assume the theory is to prevent an opportunist attacker with a small time window of access to your session (keyboard) from getting longer term access to your account.

Particularly for accounts that have long-lived sessions that don't have to use 2FA very often because of the cached session, you might not notice for quite some time that 2FA is no longer active.

As with most things in security, it's a double-edged sword.

[bluesign]

"Another risk is similar to why you should require a password to be re-entered in order to change a password."

you know that google asks your password when you want to change your password right?

[unloco]

and he is comparing the two. Why ask for password before changing a password? Why not ask for 2FA before changing your 2FA?

[golem14]

Pragmatically, I believe the threat is that someone has managed to install some malware on your phone/computer/... you are 2FA logged in.

If so, then the bad guys can disable 2FA on your account without you having to prove the 2FA token. [Edit: but nowadays, at least you get emails and device notification that it has happened]

Traditionally, security teams have thrown up their hands and said - with malware installed, all bets are off.

I'm not sure I agree with that assessment these days, with state sponsored 0-days and trojans. I think that OPs sentiment is right, and Google and others should require 2FA reauthentication to remove 2FA, especially for their 'titanium' security tier.

BTW, it's interesting to ask what is the downside of requiring 2FA re-authentication: I believe the reason to not require 2FA is historical: When it was initially rolled out, a bunch of people tried out 2FA because it was the new coolness, got somehow lost and immediately wanted to disable it, but are not able to (lost token, have no idea what the heck they are doing etc) and get stuck. Since 2FA account recovery is very manual and expensive, Google probably doesn't want to take that hit.

[pdpi]

An attacker gaining access is one problem.

An attacker disabling and then promptly re-enabling 2FA (thus locking me out of my own account) is a different problem altogether.

[baby]

Debatable. If you lose your second device but still have access to a logged account you want to be able to disable 2FA.

[azinman2]

This defeats the point of 2FA if you can turn it off without that second factor. In your example, if you don't have that authenticated session then you're still screwed... so you must design for the worst case scenario. The risk of 2FA is losing a device, which is why a proper design has other safety backups, such as backup codes, or leveraging a combination of other accounts that can vouch for you and humans in the loop.

[baby]

> This defeats the point of 2FA

that's not true. You need to think of a threat model. 2FA still successfully prevents attackers that do not yet have a session to connect to your account.

So it is still a clear net benefit.

What it does not prevent, is attackers downgrading your account from a session that already exist. At this point it is easy to argue that if an attacker has this kind of access then the only thing you can do is add 2FA to all critical actions, not just removing 2FA (that would be the least of your issue), but every critical action you can do in the app.

For example if the app is a bank, and wants to protect against these kind of attacks, then they have to prompt 2FA every time you want to want to send money (at least).

[anon102010]

You already have authenticated your computer as the second factor. The article headline implies you can just use a password to remove 2FA. False.

You can use your password AND that authenticated and still valid session or device to do the reset.

Google gives you options with your free account.

1) No 2FA

2) 2FA with insecure methods

3) 2FA with security keys and authenticators.

4) Advanced Protection Program

5) Paid account options with additional options / controls.

[hombre_fatal]

Great counter-point, it's not as black and white as it seems.

Google's own 2FA app (Google Authenticator) doesn't even let you export your keys.

[graton]

Actually the newest version does allow export. For years it was true you couldn't export. But now they allow you to export. Thankfully.

Though I tend to use U2F. With Yubikeys and other U2F keys. I use my Yubikey to store a backup of the TOTP (Authenticator type) codes. I also set a password and touch required to generate the codes.

[mathisonturing]

If you're talking about importing/exporting your list of 2FA codes, I think they've added it

[fasterthanlime]

They have! But only via QR codes (multiple, if needed). It's clearly meant to help migrate your TOTP secrets to a new phone.

[lordlimecat]

No, it requires a token which is one factor. Usually (but not always, as in the attack detailed in the article) obtaining that token requires 2fa.

This is behavior that I have seen with no other company.

[buran77]

> It doesn't require 2FA reauthentication

I'm sorry but that's really being pedantic. Re-authentication is an authentication, again. You can change (remove!) a security factor with no confirmation of that particular factor for that particular action.

> You could say: "You don't need a password to log in to anyone's gmail account"

You could say it and it would be true, just not very interesting as this is exactly what everybody expects. But if you'd say you are allowed to change the password without entering the old one it would sound pretty much like what's happening here, no?

Google is not consistent with how they treat the 2 factors (password vs. second factor). At the very least they should make it clear when enabling it under what circumstances it can be disabled. No guarantee people will read but at least the more security concerned would. You can defend their decision if you want but contradicting the situation is really not "factual", it's just playing with words.

[virgilp]

Etrade does this, drives me nuts; I can't delete old 2FA devices because I no longer have them. Where's the security benefit in that???

[zaroth]

This is slightly different (worse IMO).

If you have a valid 2FA authenticator, you should be able to edit your 2FA Device List for any of your authenticators. But to do that, I would still expect the site to re-authenticate the user with one of their 2FA options in order to make the change.

[ehsankia]

To be fair that's what backup codes are for.

[virgilp]

It's not that I can't get back into the account - it's just that I can't delete an old 2FA token that I lost. Because it asks for a code from the token that I'm trying to delete...

[ehsankia]

I see, that's a bug then. For all intents and purposes, backup codes should be equivalent to a 2FA token. So you should be able to use it when removing the old 2FA.

[buran77]

> Where's the security benefit in that???

Well... the security benefit is precisely that nobody can access your account without 2FA. Maybe you wanted to ask "what's the point in having security if usability can become so fragile?".

The point is to give users the secure option and let them decide what to go with, or at least make it clear for the users what the expected behavior is. So far it's obviously not clear. People assume you need that since you need the password to change the password, you need 2FA to change 2FA. I mean that's why you enabled it, to protect all aspects of your account.

On the other hand you should have plenty of options to protect your 2FA: save the seed (QR code), have multiple tokens, save your recovery keys, etc. Not the least of which should also be for the operator to give you a secure reset option.

[virgilp]

It's the opposite. I actually lost a 2FA token, got back into the account, added a new one - but I can't delete the old 2FA. You shouldn't ask for 2FA authentication of the same device that I'm deleting....

It'd be nice if they accepted the 2FA code from my other devices, but then it's questionable security; I just managed to log in with 2FA, are you asking me again to confirm my identity in order to delete old device? Ok I guess... but I can already add a new device, you know. And then use it to delete all the others.... are you really giving extra security?

[jdmichal]

> ... the security benefit is precisely that nobody can access your account without 2FA.

Except they can access it with any of the multiple 2FA registrations that grandposter can't delete.

I don't think it would weaken any security posture to allow any 2FA to manipulate all of them.

[kkarakk]

there is no point of having a circle of trust in that case. i do the 2FA for my son but then son loses authentication - that should mean i can get access

if you want zero grade authentication use one of the 8 one time use codes you get in authenticator instead.