Google’s Latest Two-Factor Authentication Lacks End-To-End Encryption

The Authenticator app, Google’s latest 2FA tool, may pose security risks for users. The app generates unique codes to provide an additional layer of security for websites, in conjunction with passwords. Software company Mysk examined the new two-factor authentication tool, Authenticator app, developed by Google. They discovered that its underlying data is not end-to-end encrypted.

Upon the release of the feature, Mysk conducted tests. They discovered that there was no provision for using a passphrase to secure the secrets in the app. Further analysis of the app’s network traffic during secret synchronization revealed that the traffic lacked end-to-end encryption. The absence of a passphrase to protect the secrets in the app implies that Google can access them. These also include data that are stored on their servers.

Mysk made this known on Twitter and included screenshots as evidence. When referring to credentials that serve as a key to unlock an account or tool, the security community commonly uses the term “secrets.” Users can lower the possible risks related to inadequate end-to-end encryption. That can do that by choosing to use Google Authenticator without syncing it across several devices. Or linking it to their Google account.

However, this means foregoing a convenient feature that many users have long requested. According to Mysk, while syncing 2FA secrets across different devices is a convenient feature, it comes with a privacy trade-off. The company recommends that users avoid the new syncing feature for now and use the app without it.

If you’re interested in staying up-to-date with the latest tech news and learning useful tips and tricks, you might want to check out online resources: TheBusinessUp.

No immediate response from Google when asked for comments

During the security tests conducted on Google’s Authenticator app, researchers discovered that the unencrypted traffic included a “seed.” It generates the two-factor authentication codes. This finding is worrying, as anyone with access to the seed can create their codes and access the user’s accounts.

Tommy Mysk, one of the researchers who discovered the issue, stated that if Google’s servers were breached, the secrets could be exposed. Additionally, the QR codes used to set up two-factor authentication contain the account or service’s name, such as Amazon or Twitter. It could put users at risk if they have anonymous accounts or are activists.

Knowing which accounts an individual uses can allow attackers to target them more easily. The Google Authenticator app’s absence of encryption raises the possibility that Google or its personnel could access the data. They could potentially obtain information about users’ apps and services for targeted advertising or other purposes.

Security researcher Tommy Mysk has cautioned that granting a tech giant like Google such an extensive view of a user’s accounts and services is a cause for concern. Unexpectedly, Google did not provide the same level of security for its Authenticator sync feature as it did for other similar tools.

Google has a feature in Google Chrome that allows data synchronization across devices, which includes a password option to protect user data from unauthorized access. According to security researcher Tommy Mysk, since 2FA secrets are considered sensitive data, the same level of protection should have been applied to the Authenticator sync feature.

However, Google hasn’t announced any plans to include a password protection feature.

What is Two-factor Authentication?

Normally, a password or PIN serves as the initial identification form, with a fingerprint scan, facial recognition, or a one-time code produced by a security token or mobile app serving as the second identification form.

2FA is an added security layer to passwords that significantly boosts the difficulty for unauthorized individuals to access sensitive information. Even if a hacker obtains a user’s password, they still require a second identification form to access the account.