Your IT Consultant
Information Technology Blog
by John W. Simek, Vice President of Sensei Enterprises, Inc.
Google Authenticator to Get End-To-End Encryption
April 27, 2023
A few days ago, Google announced the ability to back up your tokens in the cloud. It’s a welcome (long awaited) feature for the popular authentication app. With cloud backup, you’ll be able to easily restore your data to a replacement or upgraded device. Google Authenticator users know what a pain it was to export and then import the data to a new smartphone. Exporting data is not an option if you lose your phone or it ceases to power on.
Days after the announcement, Bleeping Computer reports a security issue with the cloud backup feature. A security researcher at Mysk revealed that Google was sending your data to the cloud in an unencrypted form. “We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.” Not a good thing.
Google backpedaled a bit and said it was concerned about locking a user out of their data if they implemented end-to-end encryption at the same time as cloud backups. Apparently, end-to-end encryption is coming. We just don’t know when.