[guardian-dev] Bypassing Google's Two-Factor Authentication

Hans-Christoph Steiner hans at guardianproject.info
Tue Feb 26 11:13:30 EST 2013


"The team at Duo Security figured out how to bypass Google's two-factor
authentication, abusing Google's application-specific passwords. Curiously,
this means that application-specific passwords are actually more powerful than
users' regular passwords, as they can be used to disable the second factor
entirely to gain control of an account. Duo [publicly released this exploit
Monday] after Google fixed this last week — seven months after initially
replying that this was expected behavior!"


More information about the Guardian-dev mailing list