Google Authenticator 2FA update accused of making service less secure

Google Authenticator logo, which is a grey 'G' stylized to look like a tumbler lock
(Image credit: Getty Images)

A new update for the Google Authenticator app has drawn criticism from developers for allegedly opening users up to privacy and security violations.

Earlier this week, Google rolled out an update for Android and iOS allowing users to back up their one-time authentication codes to the cloud, but researchers have noted that the network traffic for this process is not end-to-end encrypted.

Security researcher and programmer duo, speaking from the single online handle of Mysk, alleged that without proper encryption, users’ two-factor authentication (2FA) secrets could be viewed by Google or potentially accessed by threat actors.

“Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes,” the researchers tweeted.

“If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.”

Mysk also stated that as 2FA QR codes contain data relating to the name of the service to which they relate, Google could access this data to serve users personalized ads.

Security analyst Graham Cluely echoed Mysk’s findings, saying “you shouldn't enable the feature as Google hasn't implemented it in a way that properly defends your security”.

RELATED RESOURCE

Webinar screen with host image top right and centre image of man using a smartphone surrounded by brand logos including Salesforce

(Image credit: Okta)

Why MFA? Why now?

A discussion with Okta and Salesforce on the new MFA requirement

DOWNLOAD FOR FREE

The feature has been long requested, and Google said it has added it in acknowledgment of the frustration some users felt with one device being tied to crucial accounts.

“One major piece of feedback we’ve heard from users over the years was the complexity in dealing with lost or stolen devices that had Google Authenticator installed,” wrote Christiaan Brand, group product manager at Google in a blog post.

“Since one-time codes in Authenticator were only stored on a single device, a loss of that device meant that users lost their ability to sign in to any service on which they’d set up 2FA using Authenticator.”

With the new update, users will be able to access one-time codes again on a new phone once they have signed into the Authenticator app using their Google account.

Google Authenticator will automatically backup codes to the cloud, though users are able to use the app without a Google account.

Microsoft had already allowed cloud backups on Microsoft Authenticator, and its documentation page has outlined the extent to which keys sent to the cloud are encrypted with AES-256.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.