Google Authenticator will implement end-to-end encryption for cloud backups after complaints from researchers who warned of the risks of the latest update to the ‘app’ with which two-factor codes (2FA) could be compromised. and user information.
This app provides login based on multi-factor authentication. With it, users can send a one-time code to the linked mobile device to validate their credentials, as another layer of security.
The technology company last Tuesday released an update to Google Authenticator that makes it possible to create a backup copy of the single-use code within the Google Account itself. This way, the user is prevented from relying on the linked mobile when validating their credentials and can do so from any device with their Google Account.
However, Mysk researchers have advised users not to download this update, because after analyzing the network traffic when the application synchronized these codes, they found that it was not end-to-end encrypted.
This implies that, in the sync process, Google has access to these codes, as Mysk explained via a Twitter post. In fact, it is likely that Google will continue to have access to this information “even if it is stored on its own servers.”
In this situation, Google Authenticator’s two-factor security loses its effectiveness when it comes to guaranteeing an additional layer of security and can put sensitive user information at risk.
As the researchers describe, each 2FA code contains a “secret” or “seed” that is used to generate one-time codes. Based on this, if this “secret” is known, identical codes can be generated and, therefore, eliminate double factor protection.
Even if Google had access to these “seeds”, the researchers warned that in the event of a data breach or access to a user’s Google account, “all 2FA ‘secrets’ would be compromised.” ,
In addition to all this, the researchers recall that the two-factor security code “usually contains other information.” For this reason, data such as the name of the account or the name of the service for which the code is intended, such as Amazon or Twitter, may also be compromised.
With this information, Google can learn which services users use and use this information for profit, for example by presenting personalized ads.
Add End-to-End Encryption
In this framework, Google has indicated that it will start adding end-to-end encryption to this Google Authenticator service in the next few updates, although this implementation is being done with “precautionary measures” so that users are protected by this system. Don’t get blocked.
As Google product manager Christian Brand explained to BleepingComputer, end-to-end encryption can cause users to “get locked out of their own data without recovery”.
In this sense, they have assured that Google is starting to implement “optional” end-to-end encryption in some of their products and that, thereafter, they plan to offer this technology for Google Authenticator “in the future”. are making.
“The safety of our users is paramount to everything we do at Google, and it’s a responsibility we take very seriously,” the brand said in its statement. For this reason, he has stressed that the last update of Google Authenticator was done “with that mission in mind”.
Google’s product manager concluded, “We take careful steps to ensure that we can present this to users in a way that protects their security and privacy, but is also useful and convenient.”