The Google Authenticator app, which was updated earlier this week to allow for cloud-based two-factor authentication (2FA) via your Google account, isn’t end-to-end encrypted, according to software company Mysk.
“We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted,” said Mysk via Twitter, as reported by Gizmodo earlier Wednesday. “As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets.”
Secrets is cybersecurity jargon for a private piece of information used to unlock protected or sensitive information.
Security researchers at Mysk are recommending people not turn on the ability to sync 2FA codes across devices and the cloud.
The long-awaited 2FA feature allows you to still access your codes even if your phone is lost or stolen. This means Gmail, banking apps or the plethora other services that allow for 2FA can still have codes accessed via your Google account even when your original device isn’t immediately available. Unfortunately, enabling the feature lacks the same level of encryption — at least for the moment.
“End-to-End Encryption (E2EE) is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery,” a Google spokesperson told CNET via email. “To ensure that we’re offering a full set of options for users, we have also begun rolling out optional E2EE in some of our products, and we plan to offer E2EE for Google Authenticator in the future.”
Google says it offered the feature in this initial way for convenience.
2FA gives you an extra layer of security on top of your passwords. The additional code generated via the Authenticator app can prevent bad actors from logging into your account with your password alone. For Big Tech, however, passwords are ultimately a vulnerable and ineffective way of keeping accounts secure.
Google, Apple and Microsoft have banded together in the FIDO Alliance, short for “fast identity online.” The goal is to have websites forego passwords for biometric login instead. This can include fingerprint scans or face scans. It can also include phone verification. Switching websites over to a “passwordless future” will take time, and, until then, 2FA will remain an important way to keep accounts safe .