Application-specific passwords weaken Google's two-factor authentication, researchers say

Researchers found a method to hijack Google accounts using application-specific passwords

By Lucian Constantin, IDG News Service |  Internet

"We think it's a rather significant hole in a strong authentication system if a user still has some form of 'password' that is sufficient to take over full control of his account," the Duo Security researchers said. "However, we're still confident that -- even before rolling out their fix -- enabling Google's 2-step verification was unequivocally better than not doing so."

That said, the researchers would like to see Google implement some kind of mechanism similar to OAuth tokens that would allow restricting the privileges of every individual application-specific password.

Google did not immediately respond to a request for comment about this flaw or possible plans to implement more granular control for application-specific passwords in the future.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness