Earlier this week, Google announced that the Google Authenticator app is finally bringing cloud backup and multi-device syncing. However, information security experts noticed that when uploaded to Google servers, the data was not end-to-end encrypted. As a result, it turned out that having lost the device or losing access to it, the user was deprived of access to all accounts protected by this two-factor authentication (2FA) method, and restoring access became very difficult or impossible. It was also impossible to add 2FA codes to multiple devices without a cloud backup.
Now, these shortcomings have been addressed, but shortly after the company announced the introduction of cloud synchronization in Google Authenticator, security researchers from Mysk discovered that data was not end-to-end encrypted when uploaded to Google servers. They noted that this means Google can see users’ secrets, most likely even when they are stored on servers.
Since Google Authenticator does not offer end-to-end encryption, the data is stored on Google servers in a format that unauthorized parties can access (whether it be a Google hack or the actions of an unscrupulous employee). This means that if there is ever a data leak or someone gains access to a user’s Google account, all their 2FA secrets will be compromised.
In response to this statement, Google developers said they would add end-to-end encryption to the next versions of Google Authenticator. A company representative explained to Bleeping Computer that developers are afraid that end-to-end encryption can completely block their own data, so the company is trying to implement such functions very carefully.
