Blog

Google Authenticator Will Have End-to-End Encryption

Now Reading

Earlier this week, Google announced that the Google Authenticator app would finally have cloud backup and cross-device syncing, but security experts noticed that the data was not end-to-end encrypted when it was uploaded to Google’s servers.

Let me remind you that we also wrote that Search for Random Leaks of API Keys, Passwords and Tokens Works for All GitHub Users, and also that OpenAI Introduced a Tool for Detecting Text Generated by Artificial Intelligence.

As you know, one of the most serious drawbacks of Google Authenticator has always been the lack of backup of one-time two-factor authentication (2FA) codes, as well as the lack of support for multiple devices at once.

By the way, the media reported that Cerberus Android Banker Steals 2FA Codes from Google Authenticator.

As a result, it turned out that having lost the device or losing access to it, the user was deprived of access to all accounts protected by this 2FA method, and restoring access became very difficult or impossible. It was also impossible to add 2FA codes to multiple devices without a cloud backup.

Now, these shortcomings have finally been fixed, but shortly after the company announced the introduction of cloud synchronization in Google Authenticator, security researchers from Mysk discovered that data was not end-to-end encrypted when uploaded to Google servers.

We analyzed the network traffic while the application synchronized secrets, and it turned out that the traffic was not end-to-end encrypted. As seen in the screenshots, this means that Google can see users’ secrets, most likely even when they are stored on servers. There is also no way to add a passphrase to protect secrets to make them available only to the user.the experts said on Twitter.

Encryption in Google Authenticator

Since Google Authenticator does not offer end-to-end encryption, the data is stored on Google servers in a format that unauthorized parties can access (it can be either a Google hack or the actions of an unscrupulous employee).

Each 2FA QR code contains a secret or seed that is used to generate one-time codes. If someone else knows this secret, they can generate the same one-time codes and bypass 2FA protection. This way, if there is ever a data breach or someone gains access to your Google account, all your 2FA secrets will be compromised.the experts concluded.

Google developers reacted to this statement of information security experts quite quickly, saying that they would definitely add end-to-end encryption to the next versions of Google Authenticator.

A company representative explained to Bleeping Computer that developers are afraid that end-to-end encryption can completely block their own data, so the company is trying to implement such functions very carefully.

We encrypt data in our products during transmission and storage, including in Google Authenticator. End-to-end encryption is a powerful feature that provides additional protection, but it can prevent users from accessing their own data beyond recovery. To provide a complete experience for our users, we have started to implement optional end-to-end encryption in some products and plan to offer E2EE for Google Authenticator in the future.said a Google spokesperson.

likethis

What's your reaction?

Love It

Like It

Want It

Had It

Hated It

Posted In