What you need to know
- Researchers from Mysk found that Google Authenticator does not end-to-end encrypt users' 2FA codes.
- The "secrets" needed for the 2FA codes can be seen by Google thus making users vulnerable to data breaches.
- Christiaan Brand of Google responded by stating there are plans to bring E2EE to Google Authenticator in the future.
Following Google Authenticator's long-awaited update, software company Mysk issued a warning for users not to enable the feature over concerns that the feature is not secure.
The update in question recently introduced a sync option for one-time codes, which would allow users to store them in their Google Accounts. The idea was to help prevent a situation where a user is locked out of all of their accounts since those one-time codes were previously stored on the device the app was installed on.
Mysk found evidence that users interested in using the feature may need to take into consideration that the network traffic generated by the Authenticator app is not end-to-end encrypted. A person with malicious intent could steal the "secret" or "seed" that is used to generate your 2FA QR code. With that, your efforts at creating a stronger security barrier would be moot.
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.TL;DR: Don't turn it on.The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.… pic.twitter.com/a8hhelupZRApril 26, 2023
Additionally, Mysk mentions 2FA QR codes have the ability to contain other information about you, such as your account name and the name of the service the code is for. Speculation suggests Google could use this information to bombard you with personalized ads throughout its services, but this could spell danger for users. Mysk states that if Google were ever to suffer a data breach, your information would fly right toward them.
In response, Christiaan Brand, a product manager at Google, explained Authenticator's lack of E2EE in a Tweet on Thursday. While the app doesn't offer the security protection users would welcome, there are plans to offer encryption later on down the line. He states that Google encrypts your data from all of its apps, including Authenticator, when it is "in transit and at rest."
"Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use," Brand continues. Furthermore, the inclusion of stronger encryption like E2E could resurface the possibility of users becoming locked out of their accounts.
However, as previously mentioned and reiterated by Brand, Google Authenticator's account sync is entirely optional. If users feel safer using the app in an offline state, with control over how they back up their information, that is still available to them.
