Security researchers say that an Android malware strain can now extract and steal one-time passcodes (OTP) generated through Google Authenticator, a mobile app that’s used as a two-factor authentication (2FA) layer for many online accounts.
Google launched the Authenticator mobile app in 2010. The app works by generating six to eight-digits-long unique codes that users must enter in login forms while trying to access online accounts.
Google launched Authenticator as an alternative to SMS-based one-time passcodes. Because Google Authenticator codes are generated on a user’s smartphone and never travel through insecure mobile networks, online accounts who use Authenticator codes as 2FA layers are considered more secure than those protected by SMS-based codes.