[brunojppb]

Fantastic write-up. Major props for disclosing the details of the attack in a very accessible way.

It is great that this kind of security incident post-mortem is being shared. This will help the community to level-up in many ways, specially given that its content is super accessible and not heavily leaning on tech jargon.

[hn_throwaway_99]

I disagree. I appreciate the level of detail, but I don't appreciate Retool trying to shift the blame to Google, and only putting a blurb in the end about using FIDO2. They should have been using hardware keys years ago.

[dvdhsu]

Hi, I'm sorry you felt that way. "Shifting blame to Google" is absolutely not our intention, and if you have any recommendations on how to make the blog post more clear, please do let me know. (We're happy to change it so it reads less like that.)

I do agree that we should start using hardware keys (which we started last week).

The goal of this blog post was to make clear to others that Google Authenticator (through the default onboarding flow) syncs MFA codes to the cloud. This is unexpected (hence the title, "When MFA isn't MFA"), and something we think more people should be aware of.

[hn_throwaway_99]

I felt like you were trying to shift blame to Google due to the title "When MFA isn't MFA" and your emphasis on "dark patterns" which, to be honest, I don't think they are that "dark". To me it was because this felt like a mix of a post mortem/apology, but with some "But if it weren't for Google's dang dark patterns..." excuse thrown in.

FWIW, nearly every TOTP authenticator app I'm aware of supports some type of seed backup (e.g. Authy has a separate "backup password"). I actually like Google's solution here as long as the Workspace accounts are protected with a hardware key.

The only real lesson here is that you should have been using hardware keys.

[darkerside]

This comment reads more poorly to me than the actual blog post. It _should_ be your intention to shift partial blame to Google, and you should own it. It's ridiculous that they make an operation like syncing your MFA keys seem so innocuous. I just changed phones, so I'm just seeing this user flow for the first time, and it is ghastly how they've made it the default path.

Changing things to make it less offensive to someone who was offended really waters down your position.

[deepspace]

There is also the bit about the phishers deep-faking an employee's voice. Yeah, right. That happened. /sarcasm

[hn_throwaway_99]

In fairness dvdhsu responded about that point elsewhere: https://news.ycombinator.com/item?id=37502239

[duderific]

It was also a bit weird how they kept emphasizing how their on-prem installations were not affected, as if that lessens the severity somehow. It's like duh, that's the whole point of on-prem deployments.