A new Google Authenticator sync-to-cloud feature for its two-step verification app is coming under fire by privacy advocates who claim communication between endpoint and cloud is unencrypted and can be snooped on by adversaries.
The sync feature was added by Google to help users back up their two-factor authentication code sequences to the cloud allowing them to save time and restore authentications on multiple devices just by adding a new instance of the app on devices logged into a specific Google Account.
Researchers at Mysk analyzed network traffic of the updated Google Authenticator app and said “it turns out the traffic is not end-to-end encrypted.”
“Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices. TL;DR: Don't turn it on,” Mysk explained in tweet earlier this week. "Although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy."
Researchers said the lack of encryption opens users up to data leakage and a possible Google account takeover. A successful attack gives a malicious actor access to the two-factor-authentication's QR code used to generate a one-time code, allowing the bad actor to generate the same one-time code.
"Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised," Mysk wrote.
Paul Ducklin at Sophos’ Naked Security blog noted, anyone with a search warrant for your Google data can access authenticator sensitive data.
The Mysk researchers recommend privacy conscious users to turn off the new syncing feature in Google Authenticator.
A tweet from Google’s Christiaan Brand, product manager: identity and security, acknowledges the the privacy concerns and stated Google plans to roll out end-to-end encryption for Google Authenticator “down the line.”
“[Google] believes that our current product strikes the right balance for most users and provides significant benefits over offline use,” he wrote.