The latest Google Authenticator update adds account synchronization—essentially, you can now save one-time passwords to your Google account, which may come in handy if lose or upgrade your phone. But, oddly enough, security researchers aren’t happy with this highly-requested feature.
In a recent tweet, developer and security researcher Mysk found that Google Authenticator’s sync feature doesn’t use end-to-end encryption. So, if someone intercepts your sync data (through a data breach or by hacking your Google account), they can find the seed that your Authenticator uses to generate one-time passwords. From there, the hacker can generate one-time passwords for any website associated with your Authenticator account.
Additionally, Mysk notes that Google Authenticator’s 2FA QR codes contain website and account names. Google can access this personal data when you use Authenticator’s sync feature, as the feature does not use end-to-end encryption. (Personally, I consider this a moot point. Google already knows which websites you use. It won’t learn anything groundbreaking by looking at your Authenticator data.)
(1/4) We’re always focused on the safety and security of @Google users, and the newest updates to Google Authenticator was no exception. Our goal is to offer features that protect users, BUT are useful and convenient.
— Christiaan Brand (@christiaanbrand) April 26, 2023
For its part, Google has a pretty measured response to these concerns. Christiaan Brand, the Product Manager of Google Identity and Security, explains that the whole point in Authenticator’s sync feature is to prevent people from getting locked out of 2FA-associated accounts. So, these backups need to be relatively easy to access.
Christiaan Brand says that full end-to-end encryption will come “somewhere down the line,” presumably as an optional setting for users who sync Authenticator data with their Google account.
But, in any case, it seems that Authenticator’s sync feature needs to strike a balance between security and convenience—a reality that could make 2FA a lot less useful than security researchers have hoped. This is especially true in the enterprise space, as hackers who want to attack a corporation usually do so by targeting its employees.
The good news is that Authenticator’s sync feature is optional. And, if you find yourself locked out of 2FA-protected accounts, there is usually a way to recover account access (it’s just a pain in the neck, and its kind of embarrassing in a work environment).
Source: Mysk, Google