This week, everyone was excited as Google Authenticator added a function to store 2FA data in the Google Cloud, making it easier to restore it on Android or iOS.
So yes, this is great especially for those who are afraid of losing their data or misplacing their smartphone. But beware!
This new option raises some privacy concerns. According to security researchers Misc, it looks like the data is not end-to-end encrypted. Thus, while Google can see and store “secrets” (seed 2FA) on its servers, there is nothing to protect this information.
This is very worrying because every 2FA QR code contains the secret used to generate these single-use 2FA codes. If someone with bad intentions gets hold of this secret, they can bypass 2FA protection very easily.
An illustrated play in 3 acts:
While I don’t doubt the security of Google’s servers, we all know that even the most prepared companies experience data leaks at times.
Also, in this backup we find other information such as account name and service name on the way to the Google cloud. Google can clearly access it, so they know what online services you use. Go for personalized advertising!!
If you ask Google to export your personal data, you won’t find any trace of these famous 2FA secrets. In short, I have the impression that they fell behind the closet.
So researchers recommend disabling this synchronization feature unless end-to-end encryption is useful (with a passphrase, so, etc.).
Anyway, now you know. A Qwerty person is worth two… (ro ro roh)