“So, when setting up security is now easier than ever,” Moore continues “anyone left relying on passwords alone or using SMS 2FA codes might want to reconsider their original choice.”Īlthough users don’t need to be too concerned that 2FA codes were included in the misconfigured and unprotected database in question, that doesn’t mean it’s not a lesson to be learned. Jake Moore, the global cybersecurity advisor at ESET, told me that “one time passwords via SMS are a far safer option than relying on a password alone but when threats are now multi layered themselves, accounts need the strongest multi layer protection themselves to stay secure.” Passkeys, authenticator apps and physical security keys all offer even more secure protection. Does This Mean You Shouldn’t Use SMS For 2FA Security Codes? In the scheme of things, this is very unlikely indeed. After all, such codes expire very quickly and a threat actor would have to be monitoring both the additions to the database and the actions of a target. With logs dating back as far as July 2023, the lack of a password to protect this database is shocking, but is it a security risk? From the perspective of the 2FA codes I would have to say not very much. The exposed database shows, Sen says, that “the method to store and process 2FA should be more robust and secure.” Do Google, WhatsApp And TikTok Users Have Cause For Concern? “Lots of companies are moving their production servers to cloud but the basic authentication and encryption are not placed,” Sen says.
![backup codes 2 step google authenticator backup codes 2 step google authenticator](https://www.pointsbrotherhood.com/wp-content/uploads/2020/10/Google-2-Step-Verification-1024x479.png)
![backup codes 2 step google authenticator backup codes 2 step google authenticator](https://i.ytimg.com/vi/-FQUqS55iXc/maxresdefault.jpg)
I spoke with the researcher who found the database, Anurag Sen, who told me they “came across the database during a routine check I do.” Sen says that they have been doing this to check on cloud-based databases for the past five years. I have reached out to YX International, Google, Meta and TikTok for comment.