Christiaan Brand (Hacker News, MacRumors):
We are excited to announce an update to Google Authenticator, across both iOS and Android, which adds the ability to safely backup your one-time codes (also known as one-time passwords or OTPs) to your Google Account.
[…]
Since one time codes in Authenticator were only stored on a single device, a loss of that device meant that users lost their ability to sign in to any service on which they’d set up 2FA using Authenticator.
With this update we’re rolling out a solution to this problem, making one time codes more durable by storing them safely in users’ Google Account. This change means users are better protected from lockout and that services can rely on users retaining access, increasing both convenience and security.
I’m not sure why this took so long. Maybe they were working on some way to make sure it’s extra secure, but the announcement doesn’t talk about that.
Mysk (Hacker News):
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
[…]
Also, 2FA QR codes typically contain other information such as account name and the name of the service (e.g. Twitter, Amazon, etc). Since Google can see all this data, it knows which online services you use, and could potentially use this information for personalized ads.
Surprisingly, Google data exports do not include the 2FA secrets that are stored in the user’s Google Account.
With no backup/syncing from Google Authenticator, I switched from Google Authenticator to 1Password as soon as it supported OTPs, and these days I use Apple’s password manager. But I don’t want to rely on it too heavily, for a variety of reasons, so for important accounts I use it only for OTPs, with the actual passwords in PasswordWallet.
Previously:
- 1Password to Add Telemetry
- iPhone Thieves Locking Users Out of Their Apple Accounts
- Changing Apple ID Password Using Only a Device and Passcode
- Requesting Your Personal Data From Apple
Update (2023-04-27): Mysk:
If you have already enabled syncing in Google Authenticator and now changed your mind and want to use the app offline, opting out won’t delete your tokens and their metadata from Google servers.
To remove your data from the cloud and use the app offline, you need to follow these steps[…]
See also: MacRumors.
Update (2023-05-01): Christiaan Brand (via Accidental Tech Podcast):
E2EE is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery.
To make sure we’re offering users a full set of options, we’ve started rolling out optional E2E encryption in some of our products, and we have plans to offer E2EE for Google Authenticator down the line.
Mysk:
This shows that adding end-to-end encryption to Google Authenticator wasn’t planned at all, leaving the data of at least 100M+ users at risk.
