Chrome 84 was released on Tuesday, July 14 on the Chrome official channel. While this update was fairly minor, it did add Web OTP (One-Time Passcode) API support, which is a big step towards standardizing OTP SMS code automation on mobile devices. Web OTP API, created by Apple, allows mobile web browsers to detect incoming SMS messages that contain one-time passcodes. This allows web browsers to easily automate Multi-Factor Authentication (MFA) by saving the user from having to remember the passcode and manually enter it. Reducing the level of difficulty for users helps to increase adoption of MFA, which is critical for protecting account access when passwords are frequently stolen or guessed by attackers. This update also brought some other security features to Chrome, in the form of automatic notification popup blocking on sites with a reputation for abusing notifications and launching too many notifications.
Multi-Factor Authentication (MFA) is one of the most critical security controls that companies can deploy to protect against stolen and guessed password abuse. Receiving MFA one-time passcodes through SMS text messages is the simplest but also the least secure implementation because an attacker can intercept or divert text messages. Binary Defense recommends using authenticator apps to generate one-time passcodes on mobile devices without using SMS. As this patch also fixed a few critical/high vulnerabilities, Binary Defense recommends updating all devices as soon as possible. Chrome should update automatically on desktop machines, but mobile devices may need to be configured for automatic updates through the App Store or Play Store. Attackers often make use of unpatched browsers to exploit endpoints in “drive-by downloads” using exploit kits hiding in advertising or website content that appear safe. This attacker focus on exploitation of web browsers is the reason why automatic updates are now the default configuration for most web browsers.