A couple of days ago, Google has finally addressed a major inconvenience in its Authenticator app by adding a long-requested feature to back up 2FA codes to the cloud. The new feature enables syncing of 2FA tokens across devices through a user’s Google account, which resolves the app’s previous implementation of two-factor authentication.
Along with the update, Google Authenticator is also getting a brand-new icon on both Android and iOS platforms. With this new feature, Google is making it easier for users to manage their 2FA codes and improve their overall security posture. However, security experts are cautioning users to hold off on using the feature at the moment, saying it’s not end-to-end encrypted.
The security researchers at Mysk have taken to Twitter to express their concerns over Google Authenticator’s new sync feature. According to the researchers, the app’s traffic is not end-to-end encrypted, which means that Google can potentially see the stored secrets, even while they are on their servers.
The researchers also noted that there is no option to add a passphrase to protect the secrets and make them accessible only to the user. As a result, the researchers advise users to avoid using the feature until the encryption issue is addressed.
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
— Mysk 🇨🇦🇩🇪 (@mysk_co) April 26, 2023
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.… pic.twitter.com/a8hhelupZR
That means the credentials that are used to log into accounts, and security researchers are saying that Google employees can see those credentials due to the lack of end-to-end encryption in the new sync feature of Google Authenticator.
To explain further, if someone has access to your 2FA QR code’s secret, they can generate the same one-time codes as you and bypass the 2FA protection. Therefore, if there’s ever a data breach or if someone gains access to your Google Account, all of your 2FA secrets would be exposed. This could result in a serious breach of privacy and security.
Storing confidential data on the cloud is widely known to have certain security risks. If a hacker manages to gain entry into a user’s Google account, they can potentially access their 2FA credentials and use them to take control of other accounts belonging to the user.
The QR codes used in 2FA often contain information such as the account name and the name of the service being used. If this information is not encrypted, then Google would be able to see which services you are using and potentially use that information for targeted advertising. If a cybercriminal were to gain access to your Google account, they would also have access to this information, which could be used for malicious purposes.
Fortunately, there’s good news as Christiaan Brand, the Product Manager responsible for Identity and Security at Google, has taken steps to address concerns over the absence of end-to-end encryption in the latest version of Google Authenticator.
(3/4) To make sure we’re offering users a full set of options, we’ve started rolling out optional E2E encryption in some of our products, and we have plans to offer E2EE for Google Authenticator down the line.
— Christiaan Brand (@christiaanbrand) April 26, 2023
Using the cloud for storing 2FA credentials has been a long-awaited solution for Authenticator users, who have been annoyed by the hassle of losing access to their codes when switching devices or in case of device loss. The new feature enables users to store their 2FA tokens in the cloud using their Google account, making it possible for them to access their tokens from any backup device in case of device loss or upgrade.
However, the fact that the 2FA secrets are not included in Google data exports doesn’t mitigate the potential security risks associated with the lack of end-to-end encryption. Mysk suggests that Google should immediately add an option for users to add a passphrase to protect their 2FA secrets, making them accessible only by the user.
For now, the security researchers advised users it might be best to refrain from using the sync feature until the issue is resolved by Google.
Source