Google can see your secrets when Google Authenticator cloud sync is enabled, data is not end-to-end encrypted and vulnerable to breaches

Google announced on Monday that its two-factor authentication (2FA) app Google Authenticator now supports cloud syncing, making it even more user-friendly. But experts recommend not enabling it, as this feature adds new security risks. Traffic is not end-to-end encrypted, which means that Google can see secrets, possibly even when they are stored on their servers. It is also vulnerable to being stolen by malicious actors. There is no option to add a passphrase to protect secrets, so they can only be accessed by the user.

Google Authenticator is a popular two-factor authentication program that generates tokens for authorizations. Like most web-based two-factor authentication software, Authenticator combines knowledge and possession functions. To access websites or web-based services, a user enters their usual username and password, and then a one-time password (OTP) code sent to their device by the system triggered by the connection. So far, Authenticator has not synced codes between client devices.

This means that customers have to manually install and configure these solutions on each device. But this week, Google introduced support for syncing two-factor authentication codes through its authenticator. This new feature improves the usability of the app for multiple device users. Google customers can now sync codes between iOS and Android devices. So when you set up a new device and sign in to your account, the Authenticator app will be ready to go without a clean setup process.

But, although many users have already activated the function, experts advise deactivating it for now. Here’s why: Analysis of network traffic revealed that the data, which contains highly sensitive information, is not end-to-end encrypted, which means that Google, and likely anyone else with access to a Google account, has access to the secrets. Here, the secret is the “seed” used to generate single-use tokens. It is necessary for two-factor authentication. In other words, anyone with access to the secret can generate one-use tokens for the associated service.

See also  Dead trees in the Arctic store huge amounts of carbon, study reveals - Eye on the Arctic

Information about the associated service and account name is also often present in the data. The problem was discovered and published by a group of two cyber security researchers called Mysk. We analyzed the network traffic when the application synchronized secrets, and it was found that the traffic is not end-to-end encrypted. This means that Google can see secrets, possibly even when they are stored on their servers. There is no option to add a passphrase to protect secrets, the research group writes, so that only the user can access them.

According to the researchers, another problem that can arise is that Google can provide information when required by law. With end-to-end encryption enabled, Google will not be able to provide the requested information. They recommend turning off the sync option for now, at the expense of convenience, to keep data safe and away from prying eyes. Google may, at some point, introduce a passphrase that users can specify to protect data when it is transferred to the company’s cloud servers.

Google Authenticator and other apps are a safer option than SMS codes. However, it is important to note that with the convenience of cloud syncing potentially comes additional risks. This could make targeting Google accounts more attractive to malicious actors. If you can hack an account, you can access a large number of sensitive accounts. Google spokeswoman Kimberly Samra confirmed that cloud sync is not enabled by default and is completely optional.

But if you enable it, don’t expect any additional security precautions over standard Google procedures. To keep unwanted guests out, Authy has a one-time password to restore two-factor backups and a button to allow (or deny) the use of multiple devices for a single account.

See also  iOS 15: Apple unveils new features | informational guidance

In short, while syncing two-factor authentication secrets between devices is convenient, it also comes at the cost of your privacy. Fortunately, Google Authenticator still offers the option to use the software without logging in or syncing secrets. For now, we’d recommend using the app without the new sync feature, the band wrote.

source : blog post

And you?

What do you think about it?
What do you think about the problem the researchers discovered?
Do you think this is an implementation error or a deliberate choice by Google not to encrypt data?

See further

Google Authenticator will now sync any two-factor authentication codes it generates with the user’s Google Account, but this adds a new security risk.

What are the most popular authentication apps from a security perspective? Microsoft Authenticator comes first, followed by Google Authenticator and Twilio Authy

FTC fines Twitter $150 million for using 2FA phone numbers to target ads, Twitter is also subject to other demands

Leave a Reply

Your email address will not be published. Required fields are marked *