It took Google 13 years to add a new feature to Google Authenticator. Due to the 2FA syncing feature, users can now back up their 2FA code sequences to the cloud and restore them to a new device. We guess no one would dispute the convenience of this new feature, but there are some security concerns.
Is Google’s 2FA Syncing Putting Your Privacy in Danger?
Not long ago, some scholars at Sophos’s Naked Security and iOS developers at Mysk shared their thoughts in this regard. They said that a user’s 2FA information had been “unencrypted within Google’s HTTPS network packets.” Even if your 2FA info is kept secret when you submit it, there is an issue when it is delivered without encryption to its destination. This gives Google and others access to your information. This includes anyone with a search warrant, which could compromise the user’s data.
In addition, there is no way for users to encrypt their upload with a passcode before it leaves their device. So bad actors can intercept and access data without effort. Given these security issues, Mysk recommends using the app without the new syncing functionality for now.
Gizchina News of the week
We are sure that Google will address this issue in the future. But at the moment, the lack of upload encryption is a significant security flaw, and Google should work on it now. So we recommend our readers use the new sync functionality with caution and explore alternative 2FA methods until the security issue is resolved.
Ultimately, the new Google Authenticator feature is a step towards making 2FA more convenient for users. But the security concerns associated with this feature should not be overlooked. As users, we need to be vigilant about the security of our data and take the necessary steps to protect it.
In general, user privacy is one of the biggest issues today. You can’t name a single company that hasn’t had to deal with it. So Google is neither the last nor the only company to face these issues.
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.… pic.twitter.com/a8hhelupZR
— Mysk 🇨🇦🇩🇪 (@mysk_co) April 26, 2023