Why you shouldn't turn on Google Authenticator's cloud sync feature
Google Authenticator is a popular two-factor authentication app to create codes for authorization processes. Up until now, Google Authenticator did not sync codes across a customer's devices, which meant that customers had to install and set up these solutions manually on each device.
Google introduced support for syncing two-factor authentication codes via its Google Authenticator app this week. The new feature improved the usability for multi-device users of the app. Google customers could sync codes across iOS and Android devices using the feature.
While many users may have enabled the feature already, it is advised to keep it turned off for now. Here is why: the data, which contains highly sensitive information, is not end-to-end encrypted. Analysis of network traffic reveals that the data is not encrypted properly, and this means that Google and likely also anyone who gains access to the Google Account may gain access to the secrets.
The secret, in this case, is the seed that is used to generate the one-time codes. It is essential for two-factor authentication. In other words, anyone with access to the secret may create one-time codes for the linked service. Often, information about the linked service and an account name may also be present in the data.
Mysk discovered the issue and made it public here. They recommend keeping the sync option disabled for the time being, at the expense of convenience, to keep the data secure.
They stated: "We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user."
Google might, at one time, introduce support for a passphrase that users may specify to protect the data when it is transferred to the company's cloud servers.
Another issue that may arise out of this is that Google might provide the information when requested to do so legally. With end-to-end encryption enabled, Google could not provide the requested data.
You can check out Ashwin's guide on the best Authenticator apps for Android and iOS here.Advertisement