Friday, September 19, 2014

Google and two factor authentication

A nice feature about Google two factor authentication is allowing the user to be aware of potential account compromise. If a user captured your credentials and tried to access your email account through the usual Google web based portals you would get an SMS notification, obviously as part of the 2 factor authentication.
However, as a malicious user, you would want to just validate the credentials were correct and avoid the 2 factor authentication SMS. This got me thinking about other ways I could attempt to authenticate to the Google Services without the user being aware of potential credential compromise. Therefore validating the credentials and preventing the 2 factor authentication notification to the legitimate user so they weren't aware the credentials have been compromised.

I decided to test over SMTP. So just using Java, I attempted authentication over SMTP. If you authenticate with the invalid credentials you will get the following exception message:

Caused by: javax.mail.AuthenticationFailedException: 535-5.7.8 Username and Password not accepted. Learn more at
535 5.7.8 http://support.google.com/mail/bin/answer.py?answer=14257 wp7sm2528486wjc.12 - gsmtp

However, if you attempt to authenticate with the correct credentials but two factor authentication is configured on the account you will get the following exception and no notification will be sent to the end user:

Caused by: javax.mail.AuthenticationFailedException: 534-5.7.9 Application-specific password required. Learn more at
534 5.7.9 http://support.google.com/accounts/bin/answer.py?answer=185833 bj7sm2504496wjc.33 - gsmtp

Despite the exception being the same, you will notice there are differences in the error messages. Both are of course failed authenticated attempts but through subtle information leakage the latter tells me

  • The credentials for the account are correct
  • Two factor authentication is in use
  • The legitimate user does not receive a 2FA notification therefore being unaware the credentials have been compromised.


No comments: