[sequin]

How did they get the passwords to his Google and Coinbase accounts? He reused passwords? The same one for Google as for Coinbase? Or did they reset his Coinbase password via his Gmail? The post doesn't make this explicit, but it warns against password reuse.

[davidscoville]

I believe they logged into coinbase with Google SSO. And then they used my Google Authenticator codes which were cloud synced as the second factor auth method.

A warning to auth engineers: if an account is using a Gmail address, then auth codes from Google Authenticator should not be considered a second factor.

[avree]

This isn't something "auth engineers" can control, there's no magic Google Authenticator flag on a 2fa code - it's all HMAC and numbers, you don't know if the code came from Authy, Google Auth, a homebrew code generator, a dongle, etc.

[wmf]

It sounds like we're back to physical Yubikeys as the only secure auth.

[moduspol]

Seems reasonable if you need to secure five figures or more in crypto.

[acdha]

Passkeys also solve this even if they’re not hardware backed. He was able to give them a code but wouldn’t have been able to do a passkey handshake for a domain which isn’t Google.com. Plus they’re easier to use and faster.

[wmf]

I don't know about that. If they can hack your Google/iCloud account they can add a new device, sync all your passkeys to that device, then log into all your other accounts.

[acdha]

How do they do that if you are incapable of giving them a valid authentication code?

I don’t use Google but at least in the Apple world you also get a fairly different prompt for enrolling a new iCloud Keychain device than simply logging in. Obviously that’s not perfect but there is a good argument for not getting people accustomed to hitting okay for both high and low impact challenges using the same prompt.

[ameliaquining]

But they can't hack your Google or iCloud account if it's secured with a passkey, unless they have some other non-phishing means of doing so, which the attacker in this story presumably did not.

[davidscoville]

Exactly. Google created vulnerabilities for the whole industry by introducing cloud synced Authenticator codes.

[commandersaki]

Similarly the SSO sign in, which I think is much worse. Though arguably Coinbase is at fault for that one.

[haarolean]

>A warning to auth engineers: if an account is using a Gmail address, then auth codes from Google Authenticator should not be considered a second factor.

Incredible take. I don't know what's worse here — suggesting gmail address = google authenticator, thinking you can know the source of "auth codes", or the fact this is coming from an auth engineer. I'm switching to handwritten HMACs on paper napkins today.

[em500]

Google/Chrome Password Manager?

[IncreasePosts]

But how did they get his Gmail password in the first place?

I'm not sure if I have the same password reset flow as OP, but when I try to reset my password and even provide the 2fa code, it basically doesn't let me get past a certain point without contacting my backup email address or making me use a phone which I'm logged in on to complete the reset

[zargon]

The article gives advice to change your passwords because of leaks. So as the post above suggests, it really sounds like they reused their google password somewhere. Then had Google sign-on for Coinbase, or had their Coinbase password in Google.