Google Authenticator users who store their one-time codes as a backup in their Google account should note that this does not use end-to-end encryption, meaning Google has access to this information. This week Google announced a new feature for the Google Authenticator. A 2FA code generation application that allows users to log into an account. However, the codes in Authenticator were only stored on the user’s phone. If the phone was lost, the user could no longer log in to accounts for which he had set up two-factor authentication (2FA) via Authenticator, according to Google. Previously, when switching to a new phone, users had to manually transfer the codes from one device to another or first disable 2FA and then re-enable it on the new phone. The new synchronization feature ensures that generated codes can also be saved to the user’s Google account. These codes can then be accessed from any device on which the user installs Google Authenticator. Based on the network traffic, researchers state that the traffic is not end-to-end encrypted, meaning that Google can view stored codes. “There is no option to add a passphrase to protect the codes so that they are only accessible to the user,” the researchers said. They note that every 2FA qr code contains a seed that is used to generate the one-time codes. When someone knows the secret, they can generate the same one-time codes and bypass the 2FA protection of accounts. Should an attacker gain access to the user’s Google account, all of their 2FA secrets would be compromised. In addition, 2FA qr codes often contain other information, such as username and the name of the relevant service, such as Twitter or Amazon. Since Google can see all this data, it knows which online services the user is on and can in theory use this information for personalized advertisements, the researchers of Mysk say, who advise users not to use the synchronization feature for the time being.
