Google is bringing end-to-end encryption to Google Authenticator cloud backups after researchers warned users against syncing 2FA codes with their Google accounts.
This week, Google Authenticator finally received the long-awaited feature of being able to back up 2FA tokens to the cloud.
This new feature allows users to synchronize their Google Authenticator 2FA tokens with their Google Account, providing a backup if their mobile device is lost or damaged.
It allows users to access their 2FA tokens on multiple devices as long as they are all logged into the same Google account.
No end-to-end encryption
However, shortly after Google Authenticator Cloud Sync was announced, security researchers at MySQL discovered that data was not end-to-end encrypted when uploaded to Google’s servers.
“We analyzed the network traffic when the application synced the secrets, and it turned out that the traffic was not end-to-end encrypted,” it reads. Tweet from Mysk.
“As shown in the screenshots, this means that Google can see the secrets, possibly even while they are stored on their servers. To protect the secrets, there is no option to add a passphrase to make them accessible only by the user.”
End-to-end encryption is when data is encrypted on a device using a password known to the owner before it is transmitted and stored on another device. Since this data is encrypted, it can no longer be accessed by anyone else, even those who have access to the data that is stored on that server.
Since Google Authenticator does not offer end-to-end encryption, data is stored on Google’s servers in a format that unauthorized users can potentially access, whether through a Google breach or an unscrupulous employee.
“Each 2FA QR code contains a secret, or seed, that is used to generate one-time codes. If someone else knows this secret, they can generate the same one-time codes and defeat 2FA security. Can,” Mysk continued.
“Therefore, if there is ever a data breach or if someone gains access to your Google Account, all of your 2FA secrets will be compromised.”
Authy, another popular authenticator app, has grown in popularity over the years because it offers cloud backups of 2FA tokens that are end-to-end encrypted.
When using this feature on Authy, users must enter only a password they know, so any uploaded data will be encrypted before it leaves their mobile device.
Additionally, Authy does not allow data to be backed up unless an end-to-end encryption password is set, which provides better security.
However, this feature poses a risk, as users may be locked out of their data and unable to restore the password on another device if they lose it.
E2EE is coming to Google Authenticator
Google has heard users’ concerns about the lack of end-to-end encryption and has said they will add it to a future version of Google Authenticator.
Google Group Product Manager Christian Brandt told Bleeping Computer that because of the potential for end-to-end encryption to allow users to lock out their own data, they are carefully rolling out the feature in their products.
“The safety and security of our users is at the forefront of everything we do at Google, and it’s a responsibility we take seriously. The latest update to the Google Authenticator app was made with that mission in mind, and we’ve taken careful steps to ensure we’re able to offer users a way that protects their security and privacy, but is also useful and convenient,” the brand told Bleeping. computer.
“We encrypt data in transit and at rest, in our products, including Google Authenticator. End-to-end encryption (E2EE) is a powerful feature that provides additional security, but at the cost of enabling users to lock out their credentials without recovery. own data. To ensure we’re offering a full set of options for users, we’ve also begun rolling out optional E2EE in some of our products, and we plan to offer E2EE for Google Authenticators in the future.”
Google already provides E2E encryption in some of its services, such as Google Chrome, which lets you set a passphrase to encrypt data synced with Google accounts.
#Google #add #endtoend #encryption #Google #Authenticator
