Google has launched a new feature to its Google Authenticator app called Cloud Sync, which allows users to sync their two-factor authentication (2FA) tokens across various devices. While this was a much-anticipated innovation, it lacks end-to-end encryption (E2EE), leaving users susceptible to possible security breaches.
A Mysk security researcher discovered that Google Authenticator information was not end-to-end encrypted when syncing between devices, making it easy for attackers to access this information and control the 2FA code. Additionally, QR codes for 2FA usually contain other information, such as account name and service name, which Google can see, potentially using this information for personalized advertising.
However, Google has acknowledged users’ concerns and stated that it would add E2EE to future versions of Google Authenticator. Google Group Product Manager Christiaan Brand said they are careful to roll out this feature in their products, as E2EE can lock users out of their data.
While Google Authenticator encrypts data in transit and at rest, users should be cautious when using the sync feature and consider using the app without signing in or syncing secrets. Additionally, Google already offers E2EE in some services, such as Google Chrome, where users can set a passphrase to encrypt data synced with their Google account.
The convenience of syncing 2FA codes across devices comes at the cost of privacy, but Google is taking steps to address this issue and prioritize user security and safety. Users need to stay informed about the security features of their online accounts and take necessary precautions to protect their personal information.
