A few years later, without significant changes, Google Authenticator updated to allow code sync to the cloud. While this feature eliminated one of its big flaws, the implementation was necessary from a security point of view. no end-to-end (E2E) encryption will make one-time keys vulnerable, however Google has confirmed that it will add this feature later.
Christian Band, Product Manager at Big G, posted series of tweets which eliminate the security risks of Google Authenticator. The group said its purpose is to offer features that protect users, but are useful and convenient. “We encrypt data in transit and at rest across all of our products, including Google Authenticator,” Band said.
He E2E encryptionaccording to Band, this is a powerful feature which provides additional protection, but due to the fact that users can be blocked without the ability to recover their data. The latter is similar to what happened in the previous version of Google Authenticator, where the keys were lost if the person could not access the device that the app was on.
While Band claims that the current version of Google Authenticator strikes the right balance for most users, there are plans to improve security adding end-to-end encryption.
To ensure that we offer our users a complete set of options, we have begun implementing additional E2E encryption in some of our products, and we plan to offer E2EE for Google Authenticator in the future.
Those who don’t want to sync Google Authenticator to the cloud will still be able to use the app offline, where one-time codes will be stored locally on the device.
Why is end-to-end encryption important in Google Authenticator?
Tommy Mysk, one of two security researchers who discovered the lack of E2E encryption in Google Authenticator, mentioned why this feature is important. Mysk together with Talal Haj Bakri, analyzed network traffic while the app was syncing with Google servers. According to experts, the lack of encryption implies that Google can see your passwordseven if they are already saved.
Each 2-Factor Authentication (2FA) QR Code contains secretor a seed that is used to generate one-time codes. If anyone else knows secretyou can generate the same unique codes and bypass 2FA protection. If there is ever a data breach or someone gains access to your Google account, all your secrets 2FA will be compromised.
Mysk
This is not the only drawback, as QR codes often contain other information, such as the account name and service name, according to researchers. Having access to this data, Google will know which services you use to send you personalized ads.. “Letting a data-hungry tech giant display all the accounts and services that every user has is not good,” Mysk said. contraption.
Mysk and other cybersecurity researchers recommend do not sign in to Google Authenticator until end-to-end encryption is implemented. “While syncing 2FA secrets across devices is convenient, it comes at the cost of your privacy,” they said.
Source: Hiper Textual
I’m Ben Stock, a highly experienced and passionate journalist with a career in the news industry spanning more than 10 years. I specialize in writing content for websites, including researching and interviewing sources to produce engaging articles. My current role is as an author at Gadget Onus, where I mainly cover the mobile section.
