Last week, Google announced account synchronization support for its Authenticator app. On April 25, the security research team Mysk highlighted on Twitter that the feature lacks support for end-to-end encryption (E2EE).
The security researchers found that the network traffic used to sync the credentials is not end-to-end encrypted. This means that the seed used to generate 2FA codes is transmitted in a format that is likely visible to both Google and attackers. The researchers warned that there is no setting that allows users to protect their synced 2FA codes.
Additionally, Google could potentially use the information linked to users’ accounts to show personalized advertisements. The security researchers recommended that users should not enable the new syncing feature until it adds support for end-to-end encryption.
Google product manager Christiaan Brand announced on Twitter that its Authenticator app will gain support for end-to-end encryption. However, he emphasized that users should not be concerned because the company encrypts data in transit and at rest across all its products.
“To make sure we’re offering users a full set of options, we’ve started rolling out optional E2E encryption in some of our products, and we have plans to offer E2EE for Google Authenticator down the line,” Brand explained. “Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use. However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves.”
Use Google Authenticator offline or without sync
As of this writing, Google has not provided an ETA for bringing end-to-end encryption to the new account syncing feature in Google Authenticator. In the meantime, users can get around the security issue by continuing to use Google Authenticator in offline mode or without Google Account sync.