Google Authenticator sync lacks end-to-end encryption, but Google is working on it – BGR

admin on April 28, 2023 Leave a Comment

Google finally added a great feature to Google Authenticator, support for account syncing, which will save you a lot of trouble along the way. You wont have to worry as much about a lost or stolen smartphone, and upgrading your iPhone and Android handset will be even easier. But Google Authenticator account sync lacks a major security feature: End-to-end encryption (E2EE).

Since Google Authenticator holds your two-factor authentication (2FA) keys for various key services, data encryption sounds like a no-brainer. And the app does encrypt data while in transit, but its not end-to-end encryption. Google is fixing the issue down the line, however.

Soon after Google announced account syncing for Google Authenticator data, security researchers discovered that the feature doesnt support end-to-end encryption.

That sounds like a big security issue that could prevent you from taking advantage of the account syncing convenience. If worry about the lack of full encryption, you might very well postpone syncing until Google rolls out end-to-end encryption support.

But Google Authenticator data should be secure. The data between your devices and Googles server is encrypted in transit. The only problem is that a data breach involving a Google account would also jeopardize the security of 2FA codes.

Google product manager Christiaan Brand addressed the matter on Twitter. He revealed that support for end-to-end encryption is coming.

Were always focused on the safety and security of @Google users, and the newest updates to Google Authenticator was no exception. Our goal is to offer features that protect users, BUT are useful and convenient, Brand said.

We encrypt data in transit, and at rest, across our products, including in Google Authenticator. E2EE is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery.

The exec also said that Google started rolling out optional end-to-end encryption in some products, and Google Authenticator will follow.

Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use, Brand added. However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves.

Using the app offline means not signing into your Google account from Authenticator until E2EE rolls out.

As for the actual end-to-end encryptions arrival, youll have to prepare to create strong recovery keys and store them somewhere safe. But well cross that bridge when we get there. Brand hasnt offered an actual timeline for Google Authenticator getting end-to-end encryption.

Read more here:
Google Authenticator sync lacks end-to-end encryption, but Google is working on it - BGR

Related Posts
Posted in Encryption

Comments are closed.