Security researchers warn users of Google Authenticator not to turn on the cloud sync feature that Google made available to Android and iOS users recently, as the security of their 2FA data on the cloud isn’t guaranteed.
On April 24, 2023, Google announced that a new release of the Authenticator app (v6.0 on Android and v4.0 on iOS), a specialized tool that helps users generate one-time codes for their online accounts, will support cloud syncing for easier account recovery in the case of device loss, as well as synchronization across various of the user’s devices.
While this new option brought cheers and joy to long-time users of the app, who could now feel more comfortable storing their account access keys on the cloud, some felt this would be too risky if Google didn’t take the appropriate security precautions.
To determine if these fears were substantiated, security researcher duo ‘Mysk’ posted their findings on Twitter urging users to avoid turning on the syncing option, as it does not protect their 2FA codes from man-in-the-middle attacks.
“We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted,” explained Mysk.
“This means that Google can see the secrets, likely even while they’re stored on their servers, and there is no option to add a passphrase to protect the secrets, to make them accessible only by the user.”
Google responded to this omission through its Product Manager, Christiaan Brand, who stated on Twitter that the company plans to add end-to-end encryption in a future version of the Authenticator app.
“We encrypt data in transit, and at rest, across our products, including in Google Authenticator. End-to-End Encryption (E2EE) is a powerful feature that provides extra protections but at the cost of enabling users to get locked out of their own data without recovery. To make sure that we’re offering a full set of options for users, we have also begun rolling out optional E2EE in some of our products, and we plan to offer E2EE for Google Authenticator in the future.”C. Brand (Google)
Brand further stated that at this time, Google is confident that the product strikes the right balance for the majority of users, providing significant benefits over the security-wise superior offline use for those who opt to use cloud sync.
RestorePrivacy recommends that users of Google Authenticator continue to use the app without the cloud syncing feature until Google rolls out end-to-end encryption. For easier restoration in case of device loss, make sure to generate and safely store one-time backup codes for your most valuable accounts.