Researchers find that the encryption of a user's 2FA secrets are stripped after transportation to the cloud.

Dark Reading Staff, Dark Reading

April 26, 2023

1 Min Read
a digital image of a person logging into a computer with a username and password.
Source: Song about Summer via Adobe Stock

After a 13-year-long wait, Google Authenticator has added a 2FA account-sync feature that allows its users to back up their 2FA code sequences into the cloud, after which they can restore them back into a new device.

Though the process in which a user uploads their 2FA secrets is encrypted, researchers at Naked Security by Sophos and iOS developers at Mysk reported that a user's 2FA details were "unencrypted inside Google's HTTPS network packets." Furthermore, there is no option in which a user can encrypt their upload using a passphrase prior to it leaving their device.

This is concerning due to the fact that once the encryption for the transportation of the data is removed after the upload has arrived, the data is available to Google and virtually anyone else who is in search of this information, including anyone with a search warrant.

While it's possible that Google might address this security issue in the future, researchers at Mysk "recommend using the app without the new syncing feature for now."

"Although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy. Fortunately, Google Authenticator still offers the option to use the app without signing in or syncing secrets," said Mysk researchers in a tweet.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights