After researchers cautioned users about syncing 2FA codes with their Google accounts, Google is adding end-to-end encryption to Google Authenticator cloud backups.
This week, Google Authenticator gained the long-awaited functionality of backing up 2FA tokens to the cloud.
Users may now synchronize their Google Authenticator 2FA tokens with their Google account, providing a backup if their mobile device is lost or destroyed.
It also enables users to access their 2FA tokens across various devices if they are all signed into the same Google account.
No end-to-end encryption
However, immediately after the announcement of Google Authenticator cloud sync, security researchers at Mysk revealed that the data was not being encrypted end-to-end when being uploaded to Google’s servers.
“We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted,” reads a tweet from Mysk.
“As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.”
End-to-end encryption occurs when data is encrypted on one device with a password known only to the owner before being sent and stored on another. Because this data has been encrypted, it can no longer be viewed by anybody else. This includes those who have access to the server where the data is kept.
Google Authenticator does not provide end-to-end encryption. The data is kept on Google’s server in a manner that unauthorized users might possibly access, whether as a result of a Google hack or a dishonest employee.
“Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections,” continued Mysk.
“So, if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.”
Authy, another famous authenticator tool, has increased in popularity over the years. It provides end-to-end encrypted cloud backups of 2FA tokens.
When utilizing this function on Authy, users must input a password that only they know. It encrypts any submitted data before it leaves their mobile device.
Furthermore, Authy does not let data backup until an end-to-end encryption password is specified, which increases security.
However, if a user forgets their password, they may be locked out of their data. They won’t be able to restore it to another device.
Google has responded to users’ worries about the lack of end-to-end encryption. It said that it a future version of Google Authenticator will have it.
Google already offers E2E encryption in several of its services, such as Google Chrome. It allows you to establish a passcode to protect data synced with Google accounts.