Google Authenticator now allows you to sync your 2FA (two-factor authentication) with your Google Account. This way, you can log into the apps with your Google Account when the phone is unavailable. However, security researchers say this feature might pose a risk to users’ safety.
Google Authenticator is one of the most popular apps for setting two-factor authentication and receiving codes. The app is free, reliable, and supported by Google. In a recent update, Google has addressed one of the biggest user concerns by allowing them to sync the Authenticator app with their Google Account.
The company says this feature would make “one-time codes more durable by storing them safely in users’ Google Accounts.” The 2FA codes will be safely backed up in the Google Account. They’ll be easily accessible when you lose your phone or want to set up a new device.
Of course, Google still allows you to use the Authenticator app without syncing it with your Google Account. Additionally, the app has a new icon and design tweaks for a better user experience.
Security researchers warn about syncing the Google Authenticator app with Google Account
While the feature could bring convenience to users, security researchers at the software company Mysk say the traffic in the Authenticator app is not end-to-end encrypted. This means a third party, like a Google employee, could see the 2FA codes you use to log into accounts. Things could get worse if a cybercriminal could access your Google Account.
Mysk researchers further add that 2FA codes contain other information like account and service names. Google could use this data to personalize ads. Of course, researchers say, “Google data exports do not include the 2FA secrets that are stored in the user’s Google Account. We downloaded all the data associated with the Google account we used, and we found no traces of the 2FA secrets.”
In response to Mysk researchers, Google’s Product Manager for Identity and Security Christiaan Brand, noted that they encrypt data in all products, including the Authenticator app. However, he says that E2EE [end-to-end encryption] could get users locked out of their own data without recovery. That’s why Google started to roll out optional E2EE for some of its products. The Authenticator would also get the feature soon.
“Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use.” Brand added. “However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves.”