Uh oh, Google’s Authenticator app now cloud syncs your codes, and they’re not E2E encrypted

Google just announced on its Security Blog that the company’s Authenticator app is getting not only a redesign with a new, modernized logo but also, and finally account synchronization for your codes! The app never used to cloud sync your authentication codes, leading to much frustration and annoyance not only when setting it up, but if you swap phones or upgrade, the app needs to be set up again, leading many people to being locked out of their accounts that require these codes.

“One major piece of feedback we’ve heard from users over the years was the complexity in dealing with lost or stolen devices that had Google Authenticator installed. Since one time codes in Authenticator were only stored on a single device, a loss of that device meant that users lost their ability to sign in to any service on which they’d set up 2FA using Authenticator.”

Google Security Blog

This is great and all, but in an odd twist, these codes, while synced to your Google Account for easier setup and recall on new devices, are not end-to-end encrypted! This is a big mistep by Google, and users are starting to notice that this solution is half-baked.

By not having E2E encryption, these could potentially be exposed or intercepted by malicious third parties. According to Mysk on Twitter, who told Gizmodo about the lack of encryption, they “analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted,” and stated, “This means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.”.

Essentially, by backing up your secret codes, Google could even view them raw on their servers thanks to an exposed “seed” used to generate your codes. By getting a hold of that seed, anyone could create their own codes for your account and use them to gain access. Of course, this means that if Google were hacked and someone got a hold of its server data where this information of yours was stored, they would have direct access to all of your stuff.

Google was quick to respond to this situation via CNET stating that it’s still planning on rolling out E2E encryption to its Authenticator app in time and that it added account syncing for “convenience” even though it clashes with the very idea of keeping users at arm’s length from risk and security concerns.

(1/4) We’re always focused on the safety and security of @Google users, and the newest updates to Google Authenticator was no exception. Our goal is to offer features that protect users, BUT are useful and convenient.

— Christiaan Brand (@christiaanbrand) April 26, 2023

You can still use the app without syncing your secret codes, which means that for any users who do see this (there are many who will unwittingly sync their accounts anyway), I would recommend you use it the way you always have – cut off from Google’s servers. Let me know in the comments if you use the Google Authenticator at all, or if you’ve moved on to other solutions like Authy.