It appears the new 2FA account cloud-syncing feature in Google Authenticator isn’t end-to-end encrypted, but this feature will be coming at a later date.
Google recently updated its authenticator app to allow users to back up their saved accounts that require a Time-based One Time Passcode (TOTP) to authenticate their login, meaning that they can now easily transfer them to a new device.
However, security researchers Mysk sent out a tweet (opens in new tab) advising against turning on this functionality, as it isn’t end-to-end encrypted, meaning that Google or a third-party if the tech giant is breached, could see your codes.
Convenience trade-off
End-to-end encryption is a security and privacy enhancing feature that obfuscates sensitive content so that it can only be decoded with a key, such as a password. For instance, it is the cornerstone of popular messaging app such as WhatsApp, ensuring that content can only ever be seen by the sender and receiver – not even WhatsApp itself can take a peek.
Christiaan Brand, Product Manager for identity and Security, defended (opens in new tab) the omission by saying that the tech giant’s “goal is to offer features that protect users, BUT are useful and convenient.”
He added that “We encrypt data in transit, and at rest, across our products, including in Google Authenticator. E2EE… provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery.”
However, he also said that E2EE will be coming to various Google products, including now the authenticator, sometime “down the line”. He noted too that the app can still be used offline without having to sync 2FA accounts to their Google Account.
If you are using the Google Authenticator, then you may be using it conjunction with the Google Password Manager. While it isn’t our choice as the best password manager, it does allow for on-device encryption, which means that your own device stores the key internally to unlock access to your vault. Also, Google says that this key is used to “lock your passwords before they’re saved to Google Password Manager”, which means that, like end-to-end encryption, your passwords cannot be seen Google or anyone else but you.
Google does caution, though, that this means that “if you lose the key, you could lose your passwords too.” But this on-device decryption could be part of the push from Google and other big tech firms to ditch passwords altogether in favor of passkeys, which they want to be future of credential security.
