Facepalm: Google has finally implemented a cloud backup option for one-time access codes (OTP) stored in its Authenticator mobile app. The feature can provide users with additional convenience and confidence, but right now it lacks a critical security protection as those backups aren't encrypted.
While cloud backups of OTP codes were one major piece of feedback from Google Authenticator users over the years, security researchers are asking said users to avoid enabling the new feature. At least for now, as the option is still lacking the additional protection layer that end-to-end encryption can provide.
When users sync "2FA secrets" to their Google Account to access them across devices, Google doesn't encrypt the OTP codes. Researchers at Mysk have analyzed the network traffic coming from the sync operation, discovering that data sent to Google servers isn't end-to-end encrypted. That means Google can potentially see users' secret codes when they are stored on their servers, explained the researchers.
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.– Mysk ðÂÂ¨ðÂÂ¦ðÂÂ©ðÂÂª (@mysk_co) April 26, 2023
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.… pic.twitter.com/a8hhelupZR
Mountain View doesn't provide any additional feature or passphrase to protect the OTP backups. If there's a data breach or a user's Google Account is compromised, the researchers said, "all of your 2FA secrets would be compromised" as well. For this and other reasons, Mysk advises not enabling the cloud synchronization option in the Authenticator app for the time being.
End-to-end encryption is a security protection that shields the data being transmitted from potential eavesdroppers or malicious modifications, making sure that the digital message (or file) can be accessed in its original form by the sender and the receiver alone. Popular third-party authentication apps like Authy already provide this kind of encrypted communication, but Google clearly has other plans for its users.
The company has acknowledged the lack of E2E encryption in its new cloud-syncing Authenticator feature, but it now says that this was done on purpose. While E2E encryption provides extra protection, Google said, it can also lock users out of their own data if they lose their "master" password. The sync option is designed to protect security and privacy, but also to be useful and convenient.
Google said that users' data is encrypted "in transit, and at rest" across the company's products, including in Google Authenticator, which seems to contradict what Mysk researchers said they observed in real-life scenarios. Anyway, the Alphabet company is now promising that some sort of E2E encryption will eventually come to the Authenticator app. Sooner or later.