Google Authenticator's Cloud Sync Security Not Up to the Task (2024)
Security researchers warn users of Google Authenticator not to turn on the cloud sync feature that Google made available to Android and iOS users recently, as the security of their 2FA data on the cloud isn’t guaranteed.
On April 24, 2023, Google announced that a new release of the Authenticator app (v6.0 on Android and v4.0 on iOS), a specialized tool that helps users generate one-time codes for their online accounts, will support cloud syncing for easier account recovery in the case of device loss, as well as synchronization across various of the user’s devices.
While this new option brought cheers and joy to long-time users of the app, who could now feel more comfortable storing their account access keys on the cloud, some felt this would be too risky if Google didn’t take the appropriate security precautions.
To determine if these fears were substantiated, security researcher duo ‘Mysk’ posted their findings on Twitter urging users to avoid turning on the syncing option, as it does not protect their 2FA codes from man-in-the-middle attacks.
“We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted,” explained Mysk.
“This means that Google can see the secrets, likely even while they’re stored on their servers, and there is no option to add a passphrase to protect the secrets, to make them accessible only by the user.”
Google responded to this omission through its Product Manager, Christiaan Brand, who stated on Twitter that the company plans to add end-to-end encryption in a future version of the Authenticator app.
“We encrypt data in transit, and at rest, across our products, including in Google Authenticator. End-to-End Encryption (E2EE) is a powerful feature that provides extra protections but at the cost of enabling users to get locked out of their own data without recovery. To make sure that we’re offering a full set of options for users, we have also begun rolling out optional E2EE in some of our products, and we plan to offer E2EE for Google Authenticator in the future.”
C. Brand (Google)
Brand further stated that at this time, Google is confident that the product strikes the right balance for the majority of users, providing significant benefits over the security-wise superior offline use for those who opt to use cloud sync.
RestorePrivacy recommends that users of Google Authenticator continue to use the app without the cloud syncing feature until Google rolls out end-to-end encryption. For easier restoration in case of device loss, make sure to generate and safely store one-time backup codes for your most valuable accounts.
Security researchers warn users of Google Authenticator not to turn on the cloud sync feature that Google made available to Android and iOS users recently, as the security of their 2FA data on the cloud isn't guaranteed. On April 24, 2023, Google announced that a new release of the Authenticator app (v6.
Android. In your device, please go to the main menu on the Authenticator app, go to Settings > Time Correction for codes, and select Sync now. You should be able to use the verification codes to sign in.
What's the security concern? Unlike other authenticator apps, Google Authenticator doesn't use end-to-end encryption for codes uploaded to their cloud servers, making them susceptible to hackers during the sync.
1. Open the Google Authenticator app. 2. Click on the account avatar on the top right corner, select [Use without an account], then click on [Continue] to disable cloud sync.
He also said Google Authenticator's lack of end-to-end encryption poses additional risks. "It also appears that the phone will sync your Google Authentication codes up the servers, and there are points afterwards where they could be unencrypted. It's a little difficult to say exactly when and where and for how long.
To set up the code synchronization, just open the app to the screen of codes and tap the cloud icon at the top. A message tells you that your codes are being saved to your Google Account. You can then run Google Authenticator on a different device and you'll see the same codes.
The sync feature was added by Google to help users back up their two-factor authentication code sequences to the cloud allowing them to save time and restore authentications on multiple devices just by adding a new instance of the app on devices logged into a specific Google Account.
Google Authenticator has long been a go-to because it's simple and reliable. There are also some unique and valuable features, such as the option to export your account information securely using just a QR code. It also allows you to use a Google Account to back up your logins.
What is Google Cloud Sync? Cloud Sync is a Google Cloud Platform feature that enables users to securely and automatically share files between their devices and Google Cloud Platform instances. The file is uploaded to Google Cloud Platform and then synced to the device.
Your account is more secure when you need a password and a verification code to sign in. If you remove this extra layer of security, you will only be asked for a password when you sign in. It might be easier for someone to break into your account.
If you accidentally uninstall the Authenticator app from your smartphone you will need to re-install it and then run through the setup below. One you have scanned the QR code continue with the setup on the laptop.
Keep your Google Authenticator codes synchronized across all your devices. Google Authenticator 6.0 on Android and 4.0 on iOS introduces the option to keep all your verification codes synchronized across all your devices, simply by signing into your Google Account.
One of the main reasons why 2FA is no longer secure is that hackers have become increasingly sophisticated in their methods of attack. For example, phishing attacks have become more sophisticated, making it easier for hackers to obtain user credentials through deceptive email messages or fake login pages.
We are excited to announce an update to Google Authenticator, across both iOS and Android, which adds the ability to safely backup your one-time codes (also known as one-time passwords or OTPs) to your Google Account.
Install and open the Google Authenticator app on your new phone. Tap Get started, then Add a code. Select Import existing accounts, then Scan QR code. With your new phone, scan the code generated on the older phone to transfer your account.
If you use Google Authenticator for multi-factor authentication the authenticator settings are not transferred across devices for security purposes. You will need to set up the Authenticator on the new device manually.
Introduction: My name is Aracelis Kilback, I am a nice, gentle, agreeable, joyous, attractive, combative, gifted person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
