Why you shouldn't turn on Google Authenticator's cloud sync feature

Martin Brinkmann
Apr 26, 2023

Google Authenticator is a popular two-factor authentication app to create codes for authorization processes. Up until now, Google Authenticator did not sync codes across a customer's devices, which meant that customers had to install and set up these solutions manually on each device.

Google introduced support for syncing two-factor authentication codes via its Google Authenticator app this week. The new feature improved the usability for multi-device users of the app. Google customers could sync codes across iOS and Android devices using the feature.

While many users may have enabled the feature already, it is advised to keep it turned off for now. Here is why: the data, which contains highly sensitive information, is not end-to-end encrypted. Analysis of network traffic reveals that the data is not encrypted properly, and this means that Google and likely also anyone who gains access to the Google Account may gain access to the secrets.

The secret, in this case, is the seed that is used to generate the one-time codes. It is essential for two-factor authentication. In other words, anyone with access to the secret may create one-time codes for the linked service.  Often, information about the linked service and an account name may also be present in the data.

How to set up sync in google authenticator app

Mysk discovered the issue and made it public here. They recommend keeping the sync option disabled for the time being, at the expense of convenience, to keep the data secure.

They stated: "We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user."

Google might, at one time, introduce support for a passphrase that users may specify to protect the data when it is transferred to the company's cloud servers.

Another issue that may arise out of this is that Google might provide the information when requested to do so legally. With end-to-end encryption enabled, Google could not provide the requested data.

You can check out Ashwin's guide on the best Authenticator apps for Android and iOS here.

Why you shouldn't turn on Google Authenticator's cloud sync feature
Article Name
Why you shouldn't turn on Google Authenticator's cloud sync feature
The article explains why you may not want to turn on cloud syncing of secrets using Google's Authenticator application for Android or iOS.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. Anonymous said on May 25, 2023 at 5:56 am

    How do I turn this feature off. I inadvertently pushed the cloud icon and now I can figure out how to turn it off and delete my secrets stored somewhere in a secret Google cache

  2. Anonymous said on May 2, 2023 at 12:47 am

    “Stronger security with Google Authenticator” ahem

  3. James Kirk said on April 28, 2023 at 5:42 am

    Microsoft Authenticator also syncs to the cloud. Does anyone have an idea if this issue affects it too?

    I would be too glad if services moved to hardware form of authenticator like requiring a Yubikey or something similar but few services do that.

  4. Tachy said on April 27, 2023 at 1:58 am

    People furiously go on and on about Google invading their privacy, and then they give them all their passwords. /facepalm

    1. Anonymous said on April 27, 2023 at 2:20 am

      > People furiously go on and on about Google invading their privacy, and then they give them all their passwords.

      Good grief!
      That’s a totally misguided bullshit!
      Passwords are exposed because of the “unawareness” of the user.
      Because many people are looking for “convenience and easy only.” Such people believe in Google. So it can be said that Google (is making users blind to the fact that) is the root of the problem.

  5. owl said on April 27, 2023 at 1:03 am

    Google’s proposed “Google Authenticator (2FA)” uses ClientID.

    We are told not to worry because “data collected by Google will be anonymized,” but are we really not worried?
    There is data that falls under the category of personal information (‘Unique Identifier’ or ‘Persistent Identifier’) as defined in the CCPA. One of them is the ClientID.

    ClientID is a unique ID stored in a cookie and used by Google to identify individual users.
    Google uses authentication methods to collect and profiling “unique personal information” and must take these big tech speculations into account.

    1. owl said on April 27, 2023 at 6:26 am

      Some browsers are entirely designed to collect your data. If you use a big tech company’s web browser, ask yourself the following question: what is their business model? This comic is a fun (well, not fun, but you get it) read on the subject. As the comic artist and digital rights activist Leah Elliot puts it: “Chrome collects your IP address, the words you search for, the videos you watch, the pages you visit, the ads you click, your purchase activity, the network of people you’re in touch with, and much more. All facets of your life are scrupulously collected, analyzed and assembled into an intimate profile: a data text that aims to describe what makes you you.”

      And there are several other browsers today that limit things like third-party-based tracking. However, as a result of this, advertisers and others interested in capitalizing on your behavioral data have invested in other tactics for tracking users around the web.

      with browsers blocking third-party resources and cookies are under legal attack, advertisers and other data gatherers are looking for other solutions.

      Above citation source:

  6. Someone said on April 26, 2023 at 9:01 pm

    always create an encrypted backup of your sensitive info and passwords.
    Dont trust google so much on this.

  7. Yash said on April 26, 2023 at 6:15 pm

    Folks use a dedicated password manager and save your 2FA tokens there. Always maintain an encrypted backup of that data and keep it safe or upload it – it is encrypted FFS.

    For those who use only Google dedicated solutions.

    1. Carl said on April 26, 2023 at 8:19 pm

      Just use Aegis or any good F-Droid based authenticator. Yes local storage for all the backups as you say.

      The cloud is a botnet.

  8. Chumley said on April 26, 2023 at 5:51 pm

    Wow, this is kind of shocking, and seems really irresponsible of Google. I’m certainly glad that I don’t use this app.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.