In a recent update for the Google Authenticator app, developers have raised concerns about potential privacy and security risks, accusing the update of making the service less secure.
The update, available for Android and iOS, introduced a feature that allows users to back up their one-time authentication codes to the cloud. However, security researchers and programmers, known as Mysk, have discovered that the network traffic involved in this process is not end-to-end encrypted.
Mysk explained that the one-time codes generated by the app are tied to a secret or seed contained within the 2FA QR code. If this secret is obtained by someone else, they would be able to generate the same one-time codes and bypass 2FA protection. This means that in case of a data breach or unauthorized access to a user’s Google Account, all their 2FA secrets would be compromised.
Additionally, Mysk pointed out that the 2FA QR codes also contain data related to the name of the service they are associated with, which could potentially be accessed by Google for personalized ad serving.
Prominent security analyst Graham Cluely supported Mysk’s findings and advised users against enabling the backup feature, as Google has not implemented it in a way that adequately protects user security.
Google acknowledged the frustration among users regarding lost or stolen devices with the Authenticator app installed. In response, the company added the backup feature to address this issue. Christiaan Brand, a group product manager at Google, stated in a blog post that the feedback from users played a crucial role in the decision to implement this feature.
With the new update, users can regain access to their one-time codes on a new phone after signing into the Authenticator app using their Google account. The app will automatically back up the codes to the cloud, although it is possible to use the app without a Google account.
It is worth noting that Microsoft’s Authenticator app already supports cloud backups, with the company taking measures to ensure that keys sent to the cloud are encrypted using AES-256, as outlined in their documentation page.