Summary:
Google recently updated Authenticator, its two-factor authentication (2FA) app, to add the heavily-requested ability to sync verification codes across devices, but a pair of Canadian and German security researchers from iOS app developer Mysk claim the new feature poses a significant security risk due to its lack of end-to-end encryption.
Every 2FA QR code users bind to Authenticator (or another two-step verification app) contains what’s known as a “secret” or a “seed.” These are used to generate the one-time 2FA codes you use to confirm your sign-ins. With the new update, Google Authenticator users can sign in with their Google Account and sync 2FA secrets across iOS and Android devices.
However, according to the researchers, the syncing process isn’t end-to-end encrypted. “This means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user,” the researchers said in a long-form tweet.
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.… pic.twitter.com/a8hhelupZR
— Mysk 🇨🇦🇩🇪 (@mysk_co) April 26, 2023
In comparison, Google will let you use passphrases to secure even your Chrome data, which is significantly less sensitive than a 2FA secret.
“If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised,” the researchers explained.
What’s more, 2FA QR codes often also contain other private information, such as the name of your account and the name of the service it is associated with.
Christiaan Brand, a Product Manager for Google’s Identity and Security teams, said in a Twitter thread that the decision to forego end-to-end encryption for Authenticator at this time was to prevent users from getting “locked out of their own data without recovery.”
According to Brand, Google encrypts all user data in transit, and at rest, across all of its products, and Authenticator is no exception. He went on to note that the company has plans to offer end-to-end encryption for Authenticator syncing in the future.
“To make sure we’re offering users a full set of options, we’ve started rolling out optional E2E encryption in some of our products, and we have plans to offer E2EE for Google Authenticator down the line.”
The Mysk researchers concluded that while extremely convenient, Authenticator’s new cloud syncing feature is too big a security and privacy risk at the moment and, therefore, shouldn’t be used in its current form.
Fortunately, Google Authenticator users can still use the app offline and without signing in with a Google account or syncing secrets, with Brand also saying that doing so remains an option.
