Google is bringing end-to-end encryption to Google Authenticator cloud backups after researchers warned users against syncing 2FA codes with their Google accounts.
This week, Google Authenticator had finally received the long-awaited feature to be able to save 2FA tokens on the cloud.
This new feature allows users to sync their Google Authenticator 2FA tokens with their Google account, providing a backup if their mobile device is lost or damaged.
It also allows users to access their 2FA tokens across multiple devices as long as they are all logged into the same Google account.
No end-to-end encryption
However, shortly after Google Authenticator’s cloud sync was announced, security researchers at Mysk discovered that the data was not end-to-end encrypted when uploaded to Google’s servers.
“We analyzed the network traffic when the app synchronizes secrets, and it turns out that the traffic is not end-to-end encrypted,” reads one. Mysk’s tweet.
“As the screenshots show, this means that Google can see the secrets, probably even when they are stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.”
End-to-end encryption occurs when data is encrypted on one device using a password known only to the owner before being transmitted and stored on another device. As this data is encrypted, it is no longer accessible to anyone else, even those who have access to the server on which the data is stored.
Because Google Authenticator does not offer end-to-end encryption, the data is stored on Google’s server in a format that unauthorized users could potentially access, whether through Google breach or an unscrupulous employee.
“Each 2FA QR code contains a secret, or seed, which is used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat the 2FA protections” , Mysk continued.
“So in the event of a data breach or someone gaining access to your Google account, all of your 2FA secrets would be compromised.”
Authy, another popular authenticator app, has grown in popularity over the years as it offers cloud backups of end-to-end encrypted 2FA tokens.
When using this feature on Authy, users must enter a password that only they know, which results in all downloaded data being encrypted before it leaves their mobile device.
Additionally, Authy does not allow data backup unless an end-to-end encryption password is set, providing better security.
However, this feature poses a risk, as users might be deprived of their data and unable to restore it to another device if they lose the password.
E2EE comes to Google Authenticator
Google has heard user concerns about the lack of end-to-end encryption and said it will add it to a future version of Google Authenticator.
Christiaan Brand, Google Group Product Manager, told BleepingComputer that due to the possibility of end-to-end encryption preventing users from accessing their own data, they deploy this feature carefully in their products.
“The safety and security of our users is paramount to everything we do at Google, and it’s a responsibility we take seriously. The recent update to the Google Authenticator app was made with that mission in mind. in mind and we took careful steps to ensure that we could offer it to users in a way that not only protects their security and privacy, but is also useful and convenient,” Brand told BleepingComputer.
“We encrypt data in transit and at rest in our products, including in Google Authenticator. End-to-end encryption (E2EE) is a powerful feature that provides additional protections, but at the cost of allowing users to be blocked out of their own data without recovery. To ensure that we provide a full set of options to users, we have also started rolling out E2EE as an option in some of our products, and we plan to offer E2EE for Google Authenticator in the future. coming.
Google also already provides E2E encryption in some of its services, such as Google Chrome, which allows you set passphrase to encrypt data synced with Google accounts.