Retool blames breach on Google Authenticator MFA cloud sync feature

&quot;After signing in, the attacker deepfaked an employee&#x27;s voice and called the targeted IT team member, tricking them into providing an additional MFA code, which allowed the addition of an attacker-controlled device to the targeted employee&#x27;s Okta account.&quot;<p>Welcome to the future, where we are one step away from needing challenge-response authentication for in person face to face conversations.

&quot;on-premise&quot; - I think they actually mean on-premises. A premise and a premises are not the same thing. I see this mistake made all too often.

0. Realistically, any mature MFA app needs to have a cloud backup option enabled by default.<p>1. Google did not message their induction of Authenticator cloud backups as having a massive impact on their clients&#x27; vulnerability surface.<p>2. It appears a bit from the post-mortem that Retool was considering itself as a SW company, rather than a security-critical infrastructure provider.<p>3. All of that adds up to - organizations that have much to lose from a compromise need to do their own security thinking and assessment. Corporate-style thinking along the lines of &quot;if it has an enterprise offering, it must be up to scratch&quot; was never enough, and it will never be.

I don&#x27;t think cloud sync is fully to blame. They probably also should have been using hardware tokens instead of TOTP.<p>There are also password managers like 1Password and Bitwarden that can store TOTP keys and sync them while still providing multiple layers of authentication (...and hardware key support)