- Posts
- 10,813
- Posts Power
- 10,813.0%
- Liked
- 890
- Joined
- Jan 2, 1996
- Website
- inviteshop.us
Sync in Google Authenticator does not have E2E encryption yet, so use it at your own risk
Google launched a highly requested feature in its Authenticator app a couple of days ago in the form of sync functionality. What this means is that Google Authenticator users can transfer "secrets" across multiple devices so even if you lose your primary device which had the app installed, you could just restore it on a secondary device and continue using two-factor authentication (2FA). However, a security firm has now revealed an arguably big flaw in the design of this syncing functionality, which may deter some users from continuing to leverage it.
The security researchers over at Mysk have reported that the syncing of Google Authenticator secrets across devices is not end-to-end (E2E) encrypted. For those unaware, a secret is used to generate 2FA codes that are leveraged by users to log in to various accounts. Since these secrets do not have E2E encryption in Google's implementation, an attacker who compromises your network, Google account, or related infrastructure, would be able to access these secrets easily and gain control over your 2FA codes.
Mysk further noted how even Google could misuse your secrets for personalized ads:
Google has admitted that E2E encryption is lacking in its current rollout of sync functionality in Authenticator. It says that this is due to its desire to add a highly requested functionality that adds convenience earlier and implement E2E encryption later, which is ironic since it's already been several years since customers have been requesting sync.
In a statement to CNET, Google noted that:
As it stands, Mysk has advised Google Authenticator customers not to use the sync functionality until E2E encryption is added. However, Google has not given a timeline either so there's no knowing when it will arrive.
Google launched a highly requested feature in its Authenticator app a couple of days ago in the form of sync functionality. What this means is that Google Authenticator users can transfer "secrets" across multiple devices so even if you lose your primary device which had the app installed, you could just restore it on a secondary device and continue using two-factor authentication (2FA). However, a security firm has now revealed an arguably big flaw in the design of this syncing functionality, which may deter some users from continuing to leverage it.
The security researchers over at Mysk have reported that the syncing of Google Authenticator secrets across devices is not end-to-end (E2E) encrypted. For those unaware, a secret is used to generate 2FA codes that are leveraged by users to log in to various accounts. Since these secrets do not have E2E encryption in Google's implementation, an attacker who compromises your network, Google account, or related infrastructure, would be able to access these secrets easily and gain control over your 2FA codes.
Mysk further noted how even Google could misuse your secrets for personalized ads:
Google has admitted that E2E encryption is lacking in its current rollout of sync functionality in Authenticator. It says that this is due to its desire to add a highly requested functionality that adds convenience earlier and implement E2E encryption later, which is ironic since it's already been several years since customers have been requesting sync.
In a statement to CNET, Google noted that:
As it stands, Mysk has advised Google Authenticator customers not to use the sync functionality until E2E encryption is added. However, Google has not given a timeline either so there's no knowing when it will arrive.