A few days ago, Google launched a much-wanted feature in its Authenticator app in the form of Sync functionality. This means that Google Authenticator users can transfer the “secret” to multiple devices, so even if you lose your primary device that had the app installed, you can simply restore it to the secondary device and to Can continue to use factor authentication (2FA). However, a security firm has now revealed a major flaw in the design of this sync functionality, which could prevent some users from taking advantage of it.
Security researchers at Mysk have reported that syncing Google Authenticator secrets across devices is not end-to-end (E2E) encrypted. For those unfamiliar, a secret is used to generate 2FA codes that users use to log into various accounts. Because these secrets do not have E2E encryption in Google’s implementation, an attacker who compromises your network, Google account, or related infrastructure will be able to easily access these secrets and your 2FA codes. will be able to gain control.
Mysk also explained how Google can also abuse your privacy for personalized ads:
[…] 2FA QR codes usually contain other information such as account name and service name (eg Twitter, Amazon, etc.). Because Google can see all of this data, it knows which online services you use, and can potentially use this information for personalized advertising.
Surprisingly, Google Data Export does not include the 2FA secrets stored in the user’s Google Account. We downloaded all the data associated with the Google account we used, and found no trace of 2FA secrets.
Bottom line: While it’s easy to sync 2FA secrets across devices, it comes at the cost of your privacy. Fortunately, Google Authenticator still offers the option to use the app without signing in or syncing a secret. We currently recommend using the app without the new sync feature.
Google has admitted that the current rollout of authenticator sync functionality lacks E2E encryption. This, he says, is due to a desire to add a highly requested functionality that first adds convenience and later implements E2E encryption, which is ironic since users request sync. Many years have passed.
In a statement to CNETGoogle noted that:
End-to-End Encryption (E2EE) is a powerful feature that provides additional protection, but at the cost of enabling users to lock out their own data without recovery. To ensure that we offer a full set of options for users, we have also introduced optional E2EE in some of our products, and we plan to offer E2EE for Google Authenticator in the future. .
As it stands, Mysk advises Google Authenticator users not to use sync until E2E encryption is added. However, Google hasn’t given a timeline either so it’s not known when it will arrive.
Source: Mask (Twitter)