PSA: Google Authenticator's Cloud-Synced 2FA Codes Aren't End-to-End Encrypted

[MacRumors]

Earlier this week, Google updated its Authenticator app to enable the backup and syncing of 2FA codes across devices using a Google Account. Now an examination by Mysk security researchers has found that the sensitive one-time passcodes being synced to the cloud aren't end-to-end encrypted, leaving them potentially exposed to bad actors.

Prior to the integration of Google Account support, all codes in the Google Authenticator app were stored on device, which meant that if the device was lost, so too were the one-time passcodes, potentially causing loss of account access as well. But it seems that by enabling cloud-based syncing, Google has opened up users to a security risk of a different sort.

"We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted," said Mysk via Twitter. "This means that Google can see the secrets, likely even while they're stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user."

"Secrets" is a term used to refer to private pieces of information that act as keys to unlock protected resources or sensitive information; in this case, one-time passcodes.

Mysk said that its tests found the unencrypted traffic contains a "seed" that's used to generate the 2FA codes. According to the researchers, anyone with access to that seed can generate their own codes for the same accounts and break in to them.

"If Google servers were compromised, secrets would leak," Mysk told Gizmodo. Since the QR codes involved with setting up two-factor authentication contain the name of the account or service, the attacker can also identify the accounts. "This is particularly risky if you're an activist and run other Twitter accounts anonymously," added the researchers.

Mysk subsequently advised users not to enable the Google account feature that syncs 2FA codes across devices and the cloud.

https://twitter.com/i/web/status/1651021165727477763

Responding to the warning, a Google spokesperson told CNET it had added the sync feature early for convenience's sake, but that end-to-end encryption is still on its way:

End-to-End Encryption (E2EE) is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery. To ensure that we're offering a full set of options for users, we have also begun rolling out optional E2EE in some of our products, and we plan to offer E2EE for Google Authenticator in the future."

Until that happens, there are alternative services for syncing authentication codes across devices, such as Apple's own 2FA code generator and third-party apps like Authy.

Article Link: PSA: Google Authenticator's Cloud-Synced 2FA Codes Aren't End-to-End Encrypted

 

[icanhazmac]

Shocking! /s

This, along with the privacy scorecard, makes this a hard pass.

Keep in mind, this is an authenticator app, what could it possibly need all that identifiable data for besides wholesale collection? This is basically spyware!

 

[MaxBurn]

I'm going to urge people away from the closed source Authy and towards 2FAS, Aegis Authenticator, or Raivo OTP.

Authy doesn't even offer a way to export, though I hear there's a hack for that. That alone should make people nervous.

 

[t0rqx]

backdoors for certain entities and data gathering to generate revenue.

 

[mystery hill]

iCloud Keychain is really good if you’re only using Apple devices - it auto fills and is end-to-end encrypted.

 

[Leon Ze Professional]

This rather large DOH is emanating from Google and not Homer Simpson on this occasion!

 

[k1121j]

Surprise lol

 

[szw-mapple fan]

Way top destroy the reputation of this service by launching early. End-to-end encryption for 2FA Codes is a must and should be ready on day one. This not only demonstrates that the service itself might be vulnerable but also that Google is not serious about security and encryption and only implementing it as kind of an afterthought.

 

[andrewxgx]

so you can encrypt passwords with separate password, but cant encrypt 2FA seeds?
comedy gold

 

[locovaca]

I'm going to urge people away from the closed source Authy and towards 2FAS, Aegis Authenticator, or Raivo OTP.

Authy doesn't even offer a way to export, though I hear there's a hack for that. That alone should make people nervous.

I’m happy with OTP Auth as well.

 

[MrRom92]

I’d rather just not use 2FA. Google authenticator is nothing but troubke

 

[vegetassj4]

Google: Do See No Evil

 

[steve09090]

Question for the thread to an Android user:

I get that Android allows for more tweaking and potentially (subjectively) a more fun experience. ,All operating systems have to be assumed to be insecure, but Android (by Google/Alphabet) is openly promising to be a direct link to into private, saleable data. Why do people ignore the massive chasm of security between Android and Apple?

 

[Artemis70]

I use LastPass Authenticator (for work) and Dashlane Authenticator (personal). I'm curious if both of them are any better than Google Authenticator.

 

[gleepskip]

I'm glad this warning is out there, but the actual warning should be to not trust ANY of your data to Google. Nada,

 

[DaPizzaMan]

I'm going to urge people away from the closed source Authy and towards 2FAS, Aegis Authenticator, or Raivo OTP.

Authy doesn't even offer a way to export, though I hear there's a hack for that. That alone should make people nervous.

2FAS looks interesting because it also has a browser extension. Unfortunate that Authy does not have an export, since importing into 2FAS would be nice.

 

[sw1tcher]

Shocking! /s

This, along with the privacy scorecard, makes this a hard pass.

View attachment 2194342


Keep in mind, this is an authenticator app, what could it possibly need all that identifiable data for besides wholesale collection? This is basically spyware!

Wait until you see how much data is linked to you from this "wholesale collection" app

‎Apple Music

‎Get unlimited access to 100 million songs, thousands of curated playlists, and original content from the artists you know and love – all ad-free. Hear sound all around you with Spatial Audio featuring Dolby Atmos. • Follow and sing along with your favorite music with precise, beat-by-beat...

apps.apple.com

 

[asdfjkl;]

Way top destroy the reputation of this service by launching early. End-to-end encryption for 2FA Codes is a must and should be ready on day one. This not only demonstrates that the service itself might be vulnerable but also that Google is not serious about security and encryption and only implementing it as kind of an afterthought.

I work with Google's cloud at work (AWS and Azure, too). Google's cloud has waaaay too many insecure defaults for me. Their security layer (IAM / identity and access management) is a toy compared to other cloud providers. Personally, hard pass on anything from Google. They just aren't serious about security.

 

[icanhazmac]

Wait until you see how much data is linked to you from this "wholesale collection" app

‎Apple Music

‎Get unlimited access to 100 million songs, thousands of curated playlists, and original content from the artists you know and love – all ad-free. Hear sound all around you with Spatial Audio featuring Dolby Atmos. • Follow and sing along with your favorite music with precise, beat-by-beat...

apps.apple.com

View attachment 2194366

Yup, well aware and not happy about that either.

Boils down to who you trust more with your data. I'll take Apple vs the likes of Amazon, Google, Facebook, Microsoft.

The main point is Google seems to be collecting data well outside what is needed for an authenticator.

 

[andrewxgx]

Wait until you see how much data is linked to you from this "wholesale collection" app

‎Apple Music

‎Get unlimited access to 100 million songs, thousands of curated playlists, and original content from the artists you know and love – all ad-free. Hear sound all around you with Spatial Audio featuring Dolby Atmos. • Follow and sing along with your favorite music with precise, beat-by-beat...

apps.apple.com

View attachment 2194366

how do you expect the artist to be paid if they dont now what you played?
its a music service, that data is necessary for any of that to work

 

[danielchow]

I fear this "convenience" is an euphemism for laziness, sloppiness, and disregard.

a Google spokesperson told CNET it had added the sync feature early for convenience's sake, but that end-to-end encryption is still on its way​

​

Google says it offered the feature in this initial way for convenience.​

 

[Spidder]

Google is is below untrustworthy at this point. I mean this is not even funny anymore…

 

[BootsWalking]

I work with Google's cloud at work (AWS and Azure, too). Google's cloud has waaaay too many insecure defaults for me. Their security layer (IAM / identity and access management) is a toy compared to other cloud providers. Personally, hard pass on anything from Google. They just aren't serious about security.

Apple is now Google's largest corporate customer for cloud storage​

Jun 29, 2021
Apple has dramatically increased the amount of data that it stores on Google's cloud services, suggesting that its storage needs have grown faster than it can handle with its own servers.

Source: https://appleinsider.com/articles/2...-largest-corporate-customer-for-cloud-storage

 

[qnssekr]

Will I be locked out of a government website that I set up with google 2fA if I deactivate my google 2FA app? I forgot which gov site I used and assumed it’s important. I tried searching my privacy settings to see what site this maybe but can find any info. Please help!

 

[Spidder]

Apple is now Google's largest corporate customer for cloud storage​

Apple is not an average joe cloud customer. Apple probably just leases (a crapton of) bare hardware and has their own admins on site managing it.