Google Authenticator's Cloud-Synced 2FA Codes Pose Security Risks
TL;DR Summary
Google Authenticator's new feature that enables the backup and syncing of 2FA codes across devices using a Google Account is not end-to-end encrypted, leaving the sensitive one-time passcodes potentially exposed to bad actors. Mysk security researchers found that the unencrypted traffic contains a "seed" that's used to generate the 2FA codes, and anyone with access to that seed can generate their own codes for the same accounts and break in to them. Google has advised users not to enable the Google account feature that syncs 2FA codes across devices and the cloud until end-to-end encryption is added.
- PSA: Google Authenticator's Cloud-Synced 2FA Codes Aren't End-to-End Encrypted MacRumors
- How to Finally Use Google Authenticator Without Your Phone Lifehacker
- Google's New 2FA Isn't End-to-End Encrypted, Tests Show Gizmodo
- Google on why Authenticator sync isn't E2E encrypted, but option coming later 9to5Google
- Google leaking 2FA secrets – researchers advise against new “account sync” feature for now Naked Security
Reading Insights
Total Reads
0
Unique Readers
1
Time Saved
4 min
vs 5 min read
Condensed
90%
980 → 97 words
Want the full story? Read the original article
Read on MacRumors