Popular on TelAve
- Century Fasteners Corp. Exhibiting at the 2025 International Paris Air Show
- Pregis Empowers Foam-in-Place Customers to Fight Water Insecurity with Inspyre Film
- Fusion Marketing Group Celebrates 15 Years of Transforming Healthcare Recruitment Marketing
- Kaplan Morrell Applauds Passage of Landmark Workers' Compensation Reform in Colorado
- Western Carolina Emergency Network Accepts 2025 ReadyCommunities Partnership/CCROA National Service Award for Collaboration to Augment Local Response
- Experience Trembling Firsthand with the New AgeMan® Tremor Simulator
- Shelter Structures America Appoints Shannon Heller as New Inventory Manager, Bolstering Operational Excellence in the Commercial Tent Industry
- L2uMA Outreach Program to Support Mobile Healthcare Expansion for 65+ Population
- $3.9M Q1 2025 Revenue Following $39M in Cybersecurity Contracts for Education and Transportation Sectors: Cycurion, Inc
- Levitt Pavilion Los Angeles Summer Concert Series 2025
Similar on TelAve
- Bio-Inspired Technology-Dynamic and Adaptable for unknown real-world environments
- $12.8 Million Net Revenue for 2024 for Cloud-Based Crowdsourcing Recruitment and SaaS-Enabled HR Solutions Provider: Baiya International Group Inc
- Hire Virtue Announces Executive Sponsorship Opportunity for Houston Hiring Blitz & Job Fair on August 6, 2025
- Inked & Maxim Model Teisha Mechetti Turns Heads—And Builds Community Impact
- Plan to Launch Silo Technologies' Cybersecurity Pilot Program for Ultimate Nationwide Deployment via Exclusive Partnership: Stock Symbol: BULT
- The Naturist World Just Shifted — NaturismRE Ignites a Global Resurgence
- Cybersecurity is THE Hot Market Sector; Revenues, Earnings & Profit matter; Only 33 Million Shares + a Huge Short Position Equal an Undervalued Stock
- Spartan & Guardians Partner with Guitar Legend Buckethead to Support Global Child Rescue Efforts
- Preliminary.online Introduces Short-Term Job-Readiness Courses with Employer-Verified Certifications
- Hamvay-Lang and Lampone.hu Join Forces with AIMarketingugynokseg.hu to Elevate Hungarian Lifestyle Brands on the Global Stage
Silent Sector Advises IETF of Major Vulnerability Related to QR Codes Used to Enroll Two-Factor Authentication Processes
TelAve News/10841667
Millions – Perhaps Tens of Millions – of 2FA Credentials at Risk of Exposure. Global Remediation Likely to Cost Billions of Dollars
SCOTTSDALE, Ariz. - TelAve -- A significant exposure related to the use of QR codes in two-factor authentication (2FA) processes has been identified and reported to the Internet Engineering Task Force (IETF) by researchers and analysts at Silent Sector (https://silentsector.com), a cybersecurity services company that specializes in providing tailored risk management solutions to mid-market and emerging companies across various industries, including healthcare, financial services, technology, manufacturing, and defense.
The exploit, discovered by Brian Contario, Principal Cybersecurity Architect at Silent Sector, lies in the fact that the QR codes used for 2FA enrollment contain sensitive information, including a secret key and user identifiers, which can be captured and misused if not properly secured.
"These codes have been present for over a decade, potentially affecting millions of users worldwide. While this vulnerability is not widely recognized, once it becomes more widely known, it will likely emerge as an area of focus for malicious actors," says Contario.
There are a number of ways that bad actors could gain access to the secret key information in the QR codes. Potential caches of the data include email, messaging, or cloud storage repositories where the QR codes or enrollment information have been transmitted or stored.
"Many IT shops, managed service providers (MSPs), as well as other business and technology professionals often store or email these QR codes, leaving them open to discovery. In public places, including airports, cafes and co-working spaces, images of the QR code can be captured simply by using cameras with zoom lenses when QR codes are displayed on screens for enrollment," he says.
More on TelAve News
Scope of the Damage
The potential scale of impact is estimated anywhere from tens to hundreds of millions of affected enrollments. Google Authenticator added support for QR codes approximately 12 years ago.
Millions upon millions of QR code enrollments enabled over the past decade have created a large pool of "data residue" where the digital fingerprints of particular 2FA interactions have been saved and archived.
The enrollment processes were originally designed for hardware security tokens that could securely embed the secret key that were transmitted to physical tokens or other devices.
"However, when this process was adapted for software-based 2FA apps, the secure exchange of the secret key was not properly maintained. As a result, transmitting the QR code can lead to the key being compromised. If attackers gain access to this information, they can potentially use it to bypass the 2FA protection," says Contario. "While the level of awareness of this exploit currently seems to be low – even among IT professionals – the potential for abuse exists," he adds.
Remediation Solution
To address the threat, Silent Sector has developed a fix which involves changing the enrollment process to use a QR code that is paired with a dynamic, one-time URL that directs the authenticator app to retrieve the secret key from a secure server.
"This ensures that the secret key is only sent to the authenticator app, making it more secure. To execute the fix, technology vendors and enterprises that use QR enrollment for multi-factor authentication will need to re-enroll in their 2FA processes using new, secure QR codes," explains Contario.
This way, the secret key is no longer statically embedded in the QR code, but dynamically provided to the authenticator app in a secure manner, preventing the compromise of secure data through the QR code alone.
More on TelAve News
Deploying Remediation at Scale
The biggest remediation challenge revolves around the massive scale of the problem, the risk of exploitation once disclosed and the difficulties in properly notifying and coordinating with all the potentially affected parties.
The issue affects a large number of vendors and systems that have implemented two-factor authentication using QR codes. It is estimated that this issue could affect over a dozen common authenticator apps on the client side. On the server side, there could be hundreds of vendors that need to update their code to address the compromised data.
"There could be millions, tens of millions, or even hundreds of millions of these QR codes out in the wild, making it extremely difficult to notify all affected parties in advance. What's more, existing users who have already enrolled in 2FA using the compromised QR code process must be re-enrolled using the new, more secure process," says Contario.
Economics of Remediation
While the technical fix is not overly complex, the labor-intensive user re-enrollment process across enterprises will be a significant undertaking and involve considerable costs.
Vendors that provide the two-factor authentication software and services will have to take the lead in updating their codes to proactively address the exposure.
For end-user organizations, the major cost will be in the labor required for IT departments to notify and walk users through the process of re-enrolling in two-factor authentication.
"This is likely to be very time-consuming for large organizations and could add up to billions of dollars in enterprise expenditures globally, based on the average hourly rate for IT staff multiplied by the number of individuals that would need to be re-enrolled across many organizations," concludes Contario.
To learn more, please visit: https://datatracker.ietf.org/doc/html/draft-contario-totp-secure-enrollment or Silent Sector's page here, https://silentsector.com/2fa.
The exploit, discovered by Brian Contario, Principal Cybersecurity Architect at Silent Sector, lies in the fact that the QR codes used for 2FA enrollment contain sensitive information, including a secret key and user identifiers, which can be captured and misused if not properly secured.
"These codes have been present for over a decade, potentially affecting millions of users worldwide. While this vulnerability is not widely recognized, once it becomes more widely known, it will likely emerge as an area of focus for malicious actors," says Contario.
There are a number of ways that bad actors could gain access to the secret key information in the QR codes. Potential caches of the data include email, messaging, or cloud storage repositories where the QR codes or enrollment information have been transmitted or stored.
"Many IT shops, managed service providers (MSPs), as well as other business and technology professionals often store or email these QR codes, leaving them open to discovery. In public places, including airports, cafes and co-working spaces, images of the QR code can be captured simply by using cameras with zoom lenses when QR codes are displayed on screens for enrollment," he says.
More on TelAve News
- $12.8 Million Net Revenue for 2024 for Cloud-Based Crowdsourcing Recruitment and SaaS-Enabled HR Solutions Provider: Baiya International Group Inc
- Hire Virtue Announces Executive Sponsorship Opportunity for Houston Hiring Blitz & Job Fair on August 6, 2025
- Inked & Maxim Model Teisha Mechetti Turns Heads—And Builds Community Impact
- Plan to Launch Silo Technologies' Cybersecurity Pilot Program for Ultimate Nationwide Deployment via Exclusive Partnership: Stock Symbol: BULT
- Robert Michael & Co. Real Estate Team Celebrates Industry Recognition and Showcases Premier Central Florida Listings
Scope of the Damage
The potential scale of impact is estimated anywhere from tens to hundreds of millions of affected enrollments. Google Authenticator added support for QR codes approximately 12 years ago.
Millions upon millions of QR code enrollments enabled over the past decade have created a large pool of "data residue" where the digital fingerprints of particular 2FA interactions have been saved and archived.
The enrollment processes were originally designed for hardware security tokens that could securely embed the secret key that were transmitted to physical tokens or other devices.
"However, when this process was adapted for software-based 2FA apps, the secure exchange of the secret key was not properly maintained. As a result, transmitting the QR code can lead to the key being compromised. If attackers gain access to this information, they can potentially use it to bypass the 2FA protection," says Contario. "While the level of awareness of this exploit currently seems to be low – even among IT professionals – the potential for abuse exists," he adds.
Remediation Solution
To address the threat, Silent Sector has developed a fix which involves changing the enrollment process to use a QR code that is paired with a dynamic, one-time URL that directs the authenticator app to retrieve the secret key from a secure server.
"This ensures that the secret key is only sent to the authenticator app, making it more secure. To execute the fix, technology vendors and enterprises that use QR enrollment for multi-factor authentication will need to re-enroll in their 2FA processes using new, secure QR codes," explains Contario.
This way, the secret key is no longer statically embedded in the QR code, but dynamically provided to the authenticator app in a secure manner, preventing the compromise of secure data through the QR code alone.
More on TelAve News
- AI-Based Neurotoxin Countermeasure Initiative Launched to Address Emerging National Security Needs: Renovaro, Inc. (N A S D A Q: RENB)
- The Naturist World Just Shifted — NaturismRE Ignites a Global Resurgence
- Ace8 Launches Cutting-Edge Observability Service to Empower Modern IT Operations
- AceMQ Unveils Advanced Containerization Solutions to Accelerate Digital Transformation
- $796,000 in Q2 Revenue Marks Highest Earnings to Date on 3 Trailing Quarters of Profitability in Multi-Billion Homebuilding Sector: Stock Symbol: IVDN
Deploying Remediation at Scale
The biggest remediation challenge revolves around the massive scale of the problem, the risk of exploitation once disclosed and the difficulties in properly notifying and coordinating with all the potentially affected parties.
The issue affects a large number of vendors and systems that have implemented two-factor authentication using QR codes. It is estimated that this issue could affect over a dozen common authenticator apps on the client side. On the server side, there could be hundreds of vendors that need to update their code to address the compromised data.
"There could be millions, tens of millions, or even hundreds of millions of these QR codes out in the wild, making it extremely difficult to notify all affected parties in advance. What's more, existing users who have already enrolled in 2FA using the compromised QR code process must be re-enrolled using the new, more secure process," says Contario.
Economics of Remediation
While the technical fix is not overly complex, the labor-intensive user re-enrollment process across enterprises will be a significant undertaking and involve considerable costs.
Vendors that provide the two-factor authentication software and services will have to take the lead in updating their codes to proactively address the exposure.
For end-user organizations, the major cost will be in the labor required for IT departments to notify and walk users through the process of re-enrolling in two-factor authentication.
"This is likely to be very time-consuming for large organizations and could add up to billions of dollars in enterprise expenditures globally, based on the average hourly rate for IT staff multiplied by the number of individuals that would need to be re-enrolled across many organizations," concludes Contario.
To learn more, please visit: https://datatracker.ietf.org/doc/html/draft-contario-totp-secure-enrollment or Silent Sector's page here, https://silentsector.com/2fa.
Source: Silent Sector
Filed Under: Technology, Information Technology
0 Comments
Latest on TelAve News
- Colorado Scenthound Locations Partner with Humane Colorado to Give Adopted Dogs a "Clean Start"
- Endoacustica Europe Unveils iPhone 13 Pro Max Spy Phone—Pure Hardware, Zero Software Changes
- Suzanne Harp named Managing Director in Texas, USA
- $10 Million Acquisition of GXR World Sports Assets Energizes Global Launch of Sports.com Super App by Online Lottery-Sports Game Provider: Lottery.com
- Shop American Made Goods: New Online Marketplace My American Goods Curates the Best of U.S. Made
- Investor Spotlight: Cycurion, Inc. (N A S D A Q: CYCU) Secures $69M in Contracts Amid Surging Demand for AI-Powered Cybersecurity Solutions
- $328 Million Global Stroke Rehab Market Opportunity Awaits AI Telehealth Leader Following Selection for NIH Funded Phase 3 Clinical Study: VSee Health
- Ascent Solar Technologies Enters Collaborative Agreement Notice with NASA to Advance Development of Thin-Film PV Power Beaming Capabilities: ASTI
- VoodooSoft Unveils SiriusLLM: The World's First ChatGPT-Like AI Malware Detection Engine
- This Ain't Press. This Is Pressure — Star Command by RansomXX is Out Now
- An Exclusive VIP Reception Honoring Vocal Prodigy Alliana Lili Yang's Remarkable Achievements and Magazine Cover Spotlight
- Joyce Carol Oates Returns to Hard Case Crime With DOUBLE TROUBLE
- New AI Academy Helps Therapists Embrace Tech Without Losing Their Humanity
- IQSTEL Surges Toward $400M Run Rate with $101.5M in Revenue—Reinforces Billion-Dollar Vision Backed by Fintech, AI, and Cybersecurity
- Alpha Modus Files 7th IP Action Against Rackspace Following $3M CEO Investment and Strategic Partnership Expansion
- Mortgage Rates And Demand Are Stuck In A Holding Pattern
- Coker Completes Acquisition of Healthcare Cost Solutions, a Leading Expert in Technology-Enabled Compliance Services
- Keepy Uppy™ by Ollyball Wins Prestigious 2025 Influencer Award from Clamour & The Toy Association; Announces Fall 2025 Launch at Target Stores
- K2 Integrity's U.S. and EMEA Teams Recognized in Chambers and Partners 2025 Guides
- A rare chance to own a multi-family property in the heart of Bay Ridge