Google’s new two-factor authentication tool has been discovered not to offer end-to-end encryption, which could lead to security risks.
The Authenticator app works by providing unique codes for websites required as a second layer of protection on top of user passwords. Earlier this week, Google announced that users would now be able to sync Authenticator to a Google account and use it across multiple devices. This move from the tech giant eliminates the risk of being locked out of your account via a misplaced phone.
However, when security researchers and app developers for the software company Mysk dug deeper into the change, they noticed that the underlying data wasn’t end-to-end encrypted. The company would go on to explain on Twitter that Google is able to see ‘secrets’ likely even while they’re stored on their servers. The word ‘secrets’ in the world of security is used to describe credentials that work as a key to unlock an account or a tool.
This opens up the possibility for Google to get a glimpse at users’ apps and data for the purpose of targeted ads.
The full tweet from Mysk detailing its concern can be found below:
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.… pic.twitter.com/a8hhelupZR
— Mysk 🇨🇦🇩🇪 (@mysk_co) April 26, 2023
Users can use Authenticator without connecting it to their Google account or by syncing it across other devices as a means to bypass the issue. The downside of this is that it effectively renders the newest update useless.
Google might not be the only one who can see your data. The tests conducted found that unencrypted traffic contains a seed that generates the two-factor authentication codes, and according to researcher Tommy Mysk, anyone with that seed can generate codes that can be used to breach your account.
The discovery is concerning, considering the company has taken steps with similar tools to prevent data spying.
Google has yet to comment on the issue and has not announced plans to add password protection to Authenticator.
Image credit: Google