Google is bringing end-to-end encryption to Google Authenticator cloud backups after researchers warned users against synchronizing 2FA codes with their Google accounts.
This week, Google Authenticator had finally received the long-awaited feature of being able to back up 2FA tokens to the cloud.
This new feature allows users to synchronize their Google Authenticator 2FA tokens with their Google account, providing a backup if their mobile device is lost or damaged.
It also allows users to access their 2FA tokens on multiple devices as long as they are all logged into the same Google account.
No end-to-end encryption
However, soon after Google Authenticator cloud sync was announced, security researchers at Mysk discovered that the data was not being end-to-end encrypted while being uploaded to Google’s servers.
"We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted," reads a tweet from Mysk.
"As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user."
End-to-End encryption is when data is encrypted on a device using a password only known to the owner before it is transmitted and stored on another device. As this data is encrypted, it can no longer be accessed by anyone else, even those with access to the server the data is stored on.
As Google Authenticator does not offer end-to-end encryption, the data is stored on Google's server in a format that unauthorized users could potentially access, whether through a Google breach or an unscrupulous employee.
"Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections," continued Mysk.
"So, if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised."
Authy, another popular authenticator app, has grown in popularity over the years as it offers cloud backups of 2FA tokens that are end-to-end encrypted.
When using this feature on Authy, users must enter a password only they know, causing any uploaded data to be encrypted before it leaves their mobile device.
Furthermore, Authy does not allow data to be backed up unless an end-to-end encryption password is set, providing better security.
However, this feature poses a risk, since users could be locked out of their data and unable to restore it to another device if they lose the password.
E2EE coming to Google Authenticator
Google has heard users' concerns about the lack of end-to-end encryption and said they would add it to a future version of Google Authenticator.
Google Group Product Manager Christiaan Brand told BleepingComputer that due to the possibility of end-to-end encryption causing users to get locked out of their own data, they are rolling out this feature carefully in their products.
“The security and safety of our users is paramount to everything we do at Google, and it’s a responsibility we take seriously. The recent update to the Google Authenticator app was done with that mission in mind and we took careful steps to ensure we were able to offer it to users in a way that protects their security and privacy, but is also useful and convenient,” Brand told BleepingComputer.
"We encrypt data in transit, and at rest, across our products, including in Google Authenticator. End-to-End Encryption (E2EE) is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery. To ensure that we're offering a full set of options for users, we have also begun rolling out optional E2EE in some of our products, and we plan to offer E2EE for Google Authenticator in the future."
Google also already provides E2E encryption in some of its services, such as Google Chrome, which lets you set a passphrase to encrypt data synchronized with Google accounts.
Comments
XSp - 1 year ago
The fact that they released this functionality without end to end encryption is about enough to condemn the whole thing. What the f*ck was Google thinking? Do they still have people working there that think so poorly about the subject, understand so little about security?
And then they come out shooting themselves on the foot with this outdated stupid idea of offering optional E2EE once again because of worries of people getting locked out of their accounts... the same crap that condemned RCS for me.
This entire thing is the whole reason I've been moving away from Google products... they are unwilling to understand that half measures leaves most of their users vulnerable to attacks, and that you cannot make security stronger if everything you do is half measures most of your users won't adopt.
This weak stance on security they put up does more damage than doing nothing at all. It fools people who don't know about the technical aspects of this to think they are secure somehow when they actually have become even more exposed.
If you are worried about people getting locked out of accounts if they lose the keys, put more warnings up, educate better, and come up with better ways for people to backup their crap.
Leave secondary methods of authentication up to be used only in emergencies.
There are several strategies that could be adopted there, and none of them justify handling and storing ToTP keys in plaintext on the cloud.
To me, this only signals that someone developing this whole deal doesn't understand fundamental principles of the entire concept. There is either complete incompetence there, or malicious intent, neither of which people should give space for.
Mahhn - 1 year ago
@XSp, I suspect they are doing what their business model is, data harvesting (for marketing and other purposes). It's not impossible, and actually it's very likely that the entire reason they want to back up this data, is to have access to it.
LIstrong - 1 year ago
Data scraping of consumer and enterprise data is for resale for all sorts of nefarious purposes, none to do with advertising. Whenever you use free or cheap software, you are the product, not the customer. Google has fantastic security, internally.
jkr4m3r - 1 year ago
One could make the argument that storing data like this in the cloud is a bad idea in the first place. Convenience and security are opposites.