Retool, a renowned low-code platform provider, recently reported about incidents in which malicious individuals gained partial access to internal systems. These individuals utilized phishing emails and phone calls, masquerading as employees to deceive staff members and obtain One-Time Passwords (OTP). Consequently, they were able to compromise the Google accounts of these employees.
However, Retool’s main concern lies in the introduction of a new feature – OTP sync for Google Authenticator. This feature, implemented earlier this year, allows OTP synchronization across devices. Retool criticizes this feature as it makes multi-factor authentication effectively reduced to a single factor, providing an avenue for malicious actors to gain unauthorized access to Google accounts and thereby compromising all aspects of the login process.
To address this issue, Retool urges Google to redesign their system, either by reducing cloud-based support for OTP synchronization or, at the very least, providing enterprise account administrators with the option to disable this feature within their organizations.
TLDR: Retool has raised concerns about the OTP sync feature in Google Authenticator, stating that it renders multi-factor authentication essentially useless and allows malicious individuals to compromise Google accounts. They recommend that Google either revise the design of the feature or allow administrators to disable it within organizations.