Re: Security Problem with Google’s 2-Step Authentication

[andfarm <andfarm () gmail com>]

On 2012-07-30, at 07:41, Pablo Ximenes <pablo () ximen es> wrote:
> I'd like to share with you one of my findings that failed to get
> Google's Security Reward. Although Google doesn't consider it a
> security problem, some might find it at least amusing if not
> interesting.

> From the linked article, http://ximen.es/?p=653 -
> I found out they have a time window of 10 minutes in which any of the 20 OTP passwords are valid. [...] I have 
> suggested invalidating all the time window (all the 20 OTPs) [when a user uses an OTP...]

Invalidating the entire window would make you unable to authenticate using OTP more than once every 10 minutes. In any 
case, I'm having a hard time imagining what sort of threat model which make this necessary -- if you can somehow 
predict a user's OTP code for some point in the future, you could go ahead and predict one that's even further in the 
future (outside the window of invalidated keys), and use it when that time arrives.

> or at least they could synchronize accounts.google.com’s watch with the user’s at some point, like some banks do.

Current versions of Google Authenticator have an option to do exactly this. The 10-minute window seems kind of wide; 
I'd imagine that it was introduced before the time sync option was available, for compatibility with devices that are 
on cell networks with bad time servers.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/