Google is bringing end-to-end encryption to Google Authenticator cloud backups after researchers warned users against synchronizing 2FA codes with their Google accounts.
This week, Google Authenticator had finally received the long-awaited feature of being able to back up 2FA tokens to the cloud.
This new feature allows users to synchronize their Google Authenticator 2FA tokens with their Google account, providing a backup if their mobile device is lost or damaged.
It also allows users to access their 2FA tokens on multiple devices as long as they are all logged into the same Google account.
No end-to-end encryption
However, soon after Google Authenticator cloud sync was announced, security researchers at Mysk discovered that the data was not being end-to-end encrypted while being uploaded to Google’s servers.
“We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted,” reads a tweet from Mysk.
“As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.”
End-to-End encryption is when data is encrypted on a device using a password only known to the owner before it is transmitted and stored on another device. As this data is encrypted, it can no longer be accessed by anyone else, even those with access to the server the data is stored on.
As Google Authenticator does not offer end-to-end encryption, the data is stored on Google’s server in a format that unauthorized users could potentially access, whether through a Google breach or an unscrupulous employee.
“Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections,” continued Mysk.
“So, if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.”
Authy, another popular authenticator app, has grown in popularity over the years as it offers cloud backups of 2FA tokens that are end-to-end encrypted.
When using this feature on Authy, users must enter a password only they know, causing any uploaded data to be encrypted before it leaves their mobile device.
Furthermore, Authy does not allow data to be backed up unless an end-to-end encryption password is set, providing better security.
However, this feature poses a risk, since users could be locked out of their data and unable to restore it to another device if they lose the password.
E2EE coming to Google Authenticator
Google has heard users’ concerns about the lack of end-to-end encryption and said they would add it to a future version of Google Authenticator.
Google Group Product Manager Christiaan Brand told BleepingComputer that due to the possibility of end-to-end encryption causing users to get locked out of their own data, they are rolling out this feature carefully in their products.
“The security and safety of our users is paramount to everything we do at Google, and it’s a responsibility we take seriously. The recent update to the Google Authenticator app was done with that mission in mind and we took careful steps to ensure we were able to offer it to users in a way that protects their security and privacy, but is also useful and convenient,” Brand told BleepingComputer.
“We encrypt data in transit, and at rest, across our products, including in Google Authenticator. End-to-End Encryption (E2EE) is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery. To ensure that we’re offering a full set of options for users, we have also begun rolling out optional E2EE in some of our products, and we plan to offer E2EE for Google Authenticator in the future.”
Google also already provides E2E encryption in some of its services, such as Google Chrome, which lets you set a passphrase to encrypt data synchronized with Google accounts.