Defeating Google’s Two-Factor Authentication on Chrome: Shut off the Machine?

After the epic hack of Mat Honan, I went ahead and set up Google’s Two-Factor Authentication (TFA).  My passwords are usually quite strong, but in this case it was a outside channel attack in which passwords only played a small part.  I figured that the slight inconvenience of TFA would be worth it to help ensure that nothing similar could happen to me.

(It is slightly inconvenient for everything that’s not Google Chrome.  Any time you close an application that doesn’t work with the system, you have to go to the website and generate a new password.  To do that, you have to log in and get an SMS message first.  That means that if I reboot my Mac, to get back into my chat client Adium, I have to open it, open a browser, sign in, get an SMS code, go to my accounts page, revoke the previous temporary password, and generate a new one all before I can send one line of text.  Needless to say, I leave the program open all the time now, and rarely reboot if possible.  Is that more secure…?  Only insofar as I lock my computer when I leave it, which means I’m back to … one-factor authentication.)

However, I discovered on two occasions when my Mac crashed (it does happen) that if you’ve had Chrome open when it crashed, it will ask you if you want to restore the tabs you had open previously.  If you say yes, it will restore the open tabs, including the ones for which you’re supposed to need two-factor authenticaion – without even one of the authentications!   It opens all the tabs again, including any Google ones (and I routinely have GMail, Google Voice, Google Reader, and G+ up) just as they were before – no passwords and no extra authentication required.

Essentially, if you want to defeat Google’s Two-Factor Authentication, you can shut down the machine and merely have to get through the boot password to get to any of the open tabs once the browser restores them for you!

Does this happen to anyone else?

ChromeTfa

Comments (0)

Comments are closed.

%d bloggers like this: