Two-factor authentication codes are synced to Google Account with the latest Google Authentication update. However, this raises questions about end-to-end encryption: it is not yet available, which could lead to security issues.
A few days ago, Google introduced an important update to Google Authenticator with the arrival of a feature long requested by its users: the synchronization of two-factor authentication codes with your Google Account. But for now, this sync is not end-to-end encrypted.
Google Authenticator Alert Launched: A Specific Security Gap?
As written Android Central, software publisher Mysk has advised its users not to use this code sync. By analyzing network traffic during this synchronization, the company found that the data in transit was not end-to-end encrypted. ” This means Google can access your ‘secrets’, possibly even stored on their servers “, Mysk writes in a tweet. All without asking the user to add a layer of security to sync, like a password.
Google has updated its 2FA authentication app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don’t run it.
The new update allows users to sign in to their Google Account and sync 2FA secrets across iOS and Android devices.… pic.twitter.com/a8hhelupZR
— Mysk 🇨🇦🇩🇪 (@mysk_co) April 26, 2023
If Google were to suffer a cyber attack, this data, stored on its servers, could be compromised. Hackers can create new passwords to log into accounts that should be adequately protected.
Mysk also writes that Google can use this data for advertising purposes because it allows it to know the most used services (codes with service name and account name). Therefore, Mysk recommends using Google Authenticator, but without code sync.
Google’s response: Authenticator would be better
In response to the controversy, Google product manager Christian Brandt indirectly responded to Misc in tweets. He acknowledges the lack of end-to-end encryption, but announces that the feature will be implemented later than planned. The employee says Google encrypts data from all its apps, including Google Authenticator.
(1/4) We always focus on safety and security @Google New updates for users and Google authentication are no exception. Our goal is to provide features that protect users, but are useful and convenient.
—Christian Brand (@christiaanbrand) April 26, 2023
Regarding the dangers of this new feature, he recommends that the risk-benefit balance tips in the right direction: ” We believe our current product strikes a good balance for most users and has significant advantages over offline use “.
In fact, this synchronization of codes helps avoid possible loss of accounts if a storage device is lost or no longer works. Finally, this synchronization is optional.
Want to join a community of interest? Our paradox Welcoming you, this is a place of mutual help and passion for technology.