What to do when your authenticator gets compromised?

May 31, 2024

Earlier this week, Raivo, a popular 2FA app for iOS, started crashing on startup, lost people's tokens, and put the already-existing export functionality behind a paywall (a.k.a. ransomware). This led to a lot of frustration.

A screenshot of a GitHub issue in the Raivo repository. It has the title: 'are you fucking INSANE?' — pictured: frustration

Turns out that, back in the summer of 2023, the original developer had sold the app to an incredibly shady^[1] company called mobime. This was done as quietly as can be: the users of the app were not notified of this change. This, while unethical, does not constitute evil intent on the original developer's part in my opinion, but likely an oversight.

Handling 2FA tokens has security implications^{[citation needed]}, and there has to be a level of trust between the user and the 2FA app. Sneaking in ransomware to your app is generally considered to be a breach of trust^{[citation needed]}.

It's then safe to say that, if you're a Raivo user, you can treat your tokens as compromised.

So, what should you do if this happens to you?

Do: get a new app and generate new tokens

Your current tokens belong to the malicious app developer now. They're gone. Do not try to move them to a new app. The same minds who ship ransomware to your phone will not hesitate to upload your tokens to their servers. They can generate valid 2FA tokens for any of your accounts.

The only safe option is to manually regenerate each token. This is time-consuming and a bit annoying, so it's like any other security best practice. Log in to each account, generate a new token, and put it in a new, more trustworthy, app. Until, of course, that new app gets compromised in some other way, because we can't have nice things anymore.

Do: leave a review on the compromised app

One of the key parts of the attack vector for these malicious app developers is to acquire an already highly-rated app. Tanking the review score by leaving your honest review will stop more people from getting scammed. Be honest and open with your review, and be sure to let the world know how you felt when you found ransomware in your 2FA app.

Do: tell people around you

Tell your colleagues, friends and family about it; in case they use the compromised app and haven't noticed it yet. Offer them help and support, if you can: as nerds, we have a duty to offer our expertise to our immediate communities (also known as living in a society).

Do: regularly backup your tokens

In this particular ransomware attack, I could still access my tokens, so it was relatively easy to generate new ones. Other people were not so lucky: they lost all of their tokens. They now have to go through recovery processes (best case scenario) or talk to customer service (worst case scenario) for each of their tokens. This makes it at least an order of magnitude more complicated to get new tokens.

However, there is a gotcha: you need to be very careful with this backup. It has to be encrypted with a long passphrase. It has to be stored securely where no one else can access it. If you think you can't be bothered to back it up correctly, then it's better to not back them up at all.

Don't: harass the original developer

Having ransomware in your 2FA app and/or losing all your tokens is an incredibly frustrating experience. It leads to a lot of strong emotions that can easily overwhelm. Keep in mind that the original developer might not have predicted that this would happen. Give them the benefit of the doubt, but no more trust. Direct your strong emotions to the app review.

Don't: use your password manager as your 2FA app

Having a second factor protects you in the case where someone knows your password. Ergo, it's a bad idea to put it next to your password.

Don't: implement your own 2FA app

You could create your own 2FA app fairly easily by implementing RFC 6238. But that's not the point of 2FA apps. Their main job is to securely store tokens, and that is very hard to get right.

However, there is a gotcha: the app you are using right now will probably be compromised at some point (because we can't have nice things anymore, remember?). So, quit your job, desert your family and dedicate a few years of your life to get really proficient at security and cryptography: then you can have a 2FA app you can really trust.

[1]: If you're a company that sells anything, and there is nothing about you online, shady is the least that can be said about you.