After researchers warned users not to sync 2FA codes with their Google accounts, Google is providing end-to-end encryption for Google Authenticator in the cloud.
This week, Google Authenticator had finally received the long-awaited feature that allows you to backup 2FA tokens in the cloud.
This new feature allows users to sync their Google Authenticator 2FA tokens with their Google Account, providing a backup in case their mobile device is lost or damaged.
It also allows users to access their 2FA tokens across multiple devices, as long as they’re all signed into the same Google account.
No full encryption
However, soon after Google Authenticator’s cloud sync was announced, Mysk security researchers discovered that data was not fully encrypted while being uploaded to Google’s servers.
“We analyzed the network traffic when the app syncs secrets and found that the traffic is not fully encrypted,” it said tweet from Mysk.
“As shown in the screenshots, this means that Google can see the secrets, possibly even when they are stored on their servers. There is no way to add a passphrase to protect the secrets and make them available only to the user.”
End-to-end encryption is when data is encrypted on the device using a password known only to the owner before it is transferred and stored on another device. Because this data is encrypted, it can no longer be accessed by anyone else, even those who have access to the server where the data is stored.
Because Google Authenticator does not offer full encryption, the data is stored on Google’s server in a format that could be accessed by unauthorized users due to a breach of Google or by a rogue employee.
“Each 2FA QR code contains a secret or seed used to generate one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protection,” continued Mysk.
“So if there’s ever a data breach or if someone gets access to your Google account, all of your 2FA secrets will be compromised.”
Authy, another popular authentication app, has grown in popularity over the years because it offers cloud backups of 2FA tokens that are fully encrypted.
This feature on Authy requires users to enter a password that only they know, so all uploaded data is encrypted before it leaves their mobile device.
Additionally, Authy prevents data from being backed up unless a full encryption password is set, providing better security.
However, this feature poses a risk as users may be locked out of their data and unable to restore it on another device if they lose their password.
E2EE will go to Google Authenticator
Google has heard users’ concerns about the lack of end-to-end encryption and said they will add it to a future version of Google Authenticator.
Christian Brandt, Google’s group product manager, told BleepingComputer that due to the possibility of end-to-end encryption that could lock users out of their data, they are careful to implement this feature in their products.
“The safety of our users is at the heart of everything we do at Google, and it’s a responsibility we take seriously. The recent update to the Google Authenticator app was made with this mission in mind, and we took careful steps to ensure that we can offer it to users in a way that protects their security and privacy while also being useful and convenient,” said Brandt. BleepingComputer.
“We encrypt data both in transit and at rest across all of our products, including Google Authenticator. End-to-end encryption (E2EE) is a powerful feature that provides additional protection, but it comes at a cost so users can have their data locked without recovery. To ensure that we offer a full set of capabilities to our users, we have also started to implement additional E2EE in some of our products, and we plan to offer E2EE for Google Authenticator in the future.
Google also already provides E2E encryption in some of its services, such as Google Chrome, which allows you to set a passphrase to encrypt data synced with Google accounts.
#Google #add #endtoend #encryption #Google #Authenticator
