Google’s New Two-Factor Authentication Isn’t End-to-End Encrypted, Tests Show

Google’s New Two-Factor Authentication Isn’t End-to-End Encrypted, Tests Show

A new two-factor authentication tool from Google isn’t end-to-end encrypted, which could expose users to significant security risks, a test by security researchers found.

Google’s Authenticator app provides unique codes that website logins may ask for as a second layer of security on top of passwords. On Monday, Google announced a long-awaited feature, which lets you sync Authenticator to a Google account and use it across multiple devices. That’s great news because in the past, you could end up locked out of your account if you lost the phone with the authentication app installed.

But when app developers and security researchers at the software company Mysk took a look under the hood, they found the underlying data isn’t end-to-end encrypted.

“We tested the feature as soon as Google released it. We realised that the app didn’t prompt or offer an option to use a passphrase to protect the secrets,” the company wrote on Twitter.

“We analysed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted,” the company added added. “As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers.” In the security community, “secrets” is the term for credentials that work as a key to unlock an account or a tool.

You can use Google Authenticator without tying it to your Google account or syncing it across devices, which avoids this issue. Unfortunately, that means it might be best to avoid a useful feature that users spent years clamoring for. “The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy,” the company said. “We recommend using the app without the new syncing feature for now.”

Google did not immediately respond to a request for comment.

The tests found the unencrypted traffic contains a “seed” that’s used to generate the two-factor authentication codes. According to Tommy Mysk, one of the researchers who uncovered the problem, anyone with access to that seed can generate their own codes for your accounts and break in.

“If Google servers were compromised, secrets would leak,” Mysk told Gizmodo. Adding insult to injury, QR codes involved with setting up two-factor authentication also contain the name of the account or service (Amazon or Twitter, for example). “The attacker can also know which accounts you have. This is particularly risky if you’re an activist and run other Twitter accounts anonymously.”

But it’s not just cyber criminals you need to worry about. “Google or Google staff can access this data,” Mysk said.

The lack of encryption means Google could in theory look at the data and learn what apps and services you use, which can be valuable for a number of purposes, including targeted ads. “Allowing a tech giant thirsty for data like Google to establish a graph of all accounts and services each user has is not a good thing,” Mysk said.

The issue comes as a surprise, given Google’s history with similar tools. Google has a vaguely similar feature that lets you sync data from Google Chrome across devices. There, the company gives users the option to set up a password to protect that data, keeping it away from prying eyes at Google and protecting it from anyone else who might intercept it.

“2FA secrets are considered sensitive data, just like passwords. Google already supports passphrases for syncing Chrome data. So we expected that 2FA secrets be treated the same,” Mysk said.

So far, Google hasn’t announced any plans to add password protection to its Authenticator sync feature.


The Cheapest NBN 50 Plans

It’s the most popular NBN speed in Australia for a reason. Here are the cheapest plans available.

At Gizmodo, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.