Will Google’s Two-Factor Authentication Effectively Sync or Sink You?

The customer is always right!

Keeping to this phrase, Google Authenticator finally added a service that customers have been long requesting. So, what is it?

It’s allowing users to sync their two-factor authentication codes to their Google accounts!

In a blog post, Google’s Christiaan Brand (Product Manager, Identity and Security) wrote, “One major piece of feedback we’ve heard from users over the years was the complexity in dealing with lost or stolen devices that had Google Authenticator installed.” Brand added, “Since one time codes in Authenticator were only stored on a single device, a loss of that device meant that users lost their ability to sign in to any service on which they’d set up 2FA using Authenticator.”

Essentially, when setting up a new phone, Authenticator will run without its setup process after you log in to your account. Additionally, it’ll be easier to get into your account from another device if your phone gets stolen or lost.

To enable the feature, you’ll need to update the Authenticator app for Android or iOS. For further information, you can check out Google’s support page.
 
However, you may want to hold out on enabling this feature at the moment, as it comes with some added risks.

A major issue stems from the fact that presently Google Authenticator doesn’t use end-to-end encryption (E2EE), meaning Google can view them and use the information to offer personalized ads.

“We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted,” tweeted Mysk, which consists of two iOS developers and occasional security researchers. “This means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only to the user.

“Why is this bad? Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.”
 
Additionally, it’s believed this move could draw the attention of cybercriminals and malicious actors.

Even a Google spokesperson, Kimberly Samra, said the feature is optional and those who enable it shouldn’t expect any security measures ahead of Google’s standard precautions. Google might add E2EE at a later stage but nothing has been announced yet.

Do you think this initiative by Google is half-baked? Would you consider enabling this feature? Let us know in the comments below!