Google may have brought cloud backups to its 2FA authentication app, but the cloud backups aren’t end-to-end encrypted, meaning theoretically Google or another malicious third party can get access to your codes. The flaw was discovered by security researchers at Mysk who were critical of the drawback.
The search giant however seems to stand by its decision, with Christiaan Brand, Google’s product manager for identity and security stating that while end-to-end encryption is a “powerful feature that provides extra protections”, it comes at the cost of potentially locking the users out of their own accounts and data with no recovery methods.
With the main objective behind this update being features that “protect users, but are useful and convenient” the company doesn’t think end-to-end encryption is a good fit for Authenticator at the time being. That said, Brand also said that Google has started rolling option end-to-end encryption for some of its products and does plan to bring it to Authenticator in the future.
Additionally, Google still lets users use the Authenticator app without enabling sync or signing in with their Google account at all. So if you’re sceptical about Google snooping in on your 2FA codes, just don’t log in to your Google account on the app, which is also what Mysk researchers ended up recommending until better encryption is added.
That’s not to say that backups taken between the app and Google servers aren’t protected at all. The data is encrypted in transit and at rest across the company’s products, including Authenticator. However, the decision to exclude end-to-end encryption, for now, seems to be a balancing act between providing benefits over offline use and ensuring that users’ data is still recoverable if they lose access to their device with the Google Authenticator app.
In the News: India pushes E-commerce giants to adopt Open Network Digital Commerce