On Monday, Google Authenticator launched the ability to sync 2FA codes to your Google account. It has since emerged that the capacity is not end-to-end encrypted (E2EE), and Google explained why today.
Security Researchers at mysk yesterday It was critical that Google Authenticator’s new sync capability was not end-to-end encrypted (E2EE) and therefore Google could, theoretically, obtain and replicate your 2FA codes.
This complaint is valid for those who are very security conscious and don’t trust Google (or a malicious third party) not to access user data. Those with these concerns want to ensure that no one but them can access 2FA codes by encrypting them end-to-end with another key (or password) that only they know about.
Google explained today that the goal of Authenticator’s new sync feature is “to provide features that protect users, BUT are useful and convenient.” Acknowledging that “E2EE is a powerful feature that provides additional protections”, the downside is that users can “be locked out of their own data without recovery” if they forget or lose their Google Account password (or a extra layer of extra security).
Google’s password manager today offers on-device encryption which “turns your device into a key used to lock your passwords before they are saved in Google Password Manager”. However, “if you lose the key, you may also lose your passwords”.
That being said, Google “plans to offer E2EE for Google Authenticator down the line.” In the meantime, he reminded users that they can continue to use the app offline/without Google Account sync.
The company also has added today that it encrypts data in transit and at rest for Authenticator and all other Google products.
Also, if you’ve set up Google Authenticator on multiple devices, be careful when updating to the new version and enabling syncing. During synchronization, Google Won’t do recognize identical codes or merge them automatically. You might end up with many duplicates as a result.
To avoid this, set up synchronization on your primary device first, then delete all other instances of the Google Authenticator app. So when you reinstall the updated app on secondary devices, it will just sync from your primary device and not show duplicates.
Kyle Bradshaw contributed to this post
FTC: We use revenue-generating automatic affiliate links. More.