Time to re-enable your 2FA — or to set it up finally
We have recently learned about an issue that saw us using a third-party API to generate the QR code for two-factor authentication. We have looked into this issue and want to sincerely apologize to our customers for allowing this blunder. We can assure you that AdGuard no longer uses The Google Charts API or any other third-party service to enable the 2FA security layer.
How it all came to this:
If you tried to set up a two-step authentication for your AdGuard account, you probably know how it works: A QR code pops up on our website, which you have to scan with a password manager that supports 2FA to proceed.
The problem with this scheme, as it was rightly pointed out to us on Reddit, was that the QR code used to be generated through a third-party service, in our case – the Google Charts API, which returned the image to the user.
Thus, we effectively created a loophole allowing the user login email address and their time-based one-time password (TOTP secret) to be sent to the Google Charts API.
Second, Google claims that its Google Charts API does not store any logs and is only a functional service that generates images according to the given parameters.
In any way, we strongly recommend you re-enable your 2FA if you have already enabled two-factor authentication in your account. And if you haven't enabled 2FA yet, then now it's high time you did it as it will make your account much more secure.