Researchers warn against Google Authenticator feature

Replace, April 26, 2023 (03:29 PM ET): Christiaan Model — who holds the title of Product Supervisor: Id and Safety at Google — took to Twitter to elucidate the information story beneath. His assertion (damaged up over 4 tweets) is reposted right here for readability:

We’re all the time centered on the protection and safety of Google customers, and the latest updates to Google Authenticator was no exception. Our objective is to supply options that defend customers, BUT are helpful and handy. We encrypt knowledge in transit, and at relaxation, throughout our merchandise, together with in Google Authenticator. E2EE [end-to-end encryption] is a strong characteristic that gives additional protections, however at the price of enabling customers to get locked out of their very own knowledge with out restoration. To verify we’re providing customers a full set of choices, we’ve began rolling out non-obligatory E2E encryption in a few of our merchandise, and we’ve plans to supply E2EE for Google Authenticator down the road. Proper now, we imagine that our present product strikes the suitable steadiness for many customers and gives vital advantages over offline use. Nevertheless, the choice to make use of the app offline will stay an alternate for many who desire to handle their backup technique themselves.

Unique article, April 26, 2023 (12:45 PM ET): Earlier this week, Google launched a brand new characteristic to its 2FA Authenticator app. The brand new characteristic permits the app to sync to a Google account, permitting Google Authenticator codes for use on totally different units. Now safety researchers are saying to keep away from the characteristic for now.

On Twitter, safety researchers on the software program firm Mysk revealed that they examined the Authenticator app’s new characteristic. After analyzing the community site visitors when the app syncs to a different gadget, they discovered the site visitors was not end-to-end encrypted.

We analyzed the community site visitors when the app syncs the secrets and techniques, and it seems the site visitors will not be end-to-end encrypted. As proven within the screenshots, because of this Google can see the secrets and techniques, doubtless even whereas they’re saved on their servers. There is no such thing as a possibility so as to add a passphrase to guard the secrets and techniques, to make them accessible solely by the consumer.

The time period “secrets and techniques” is safety group jargon for credentials. So that they’re saying that Google workers can see the credentials you utilize to log into accounts.

The software program firm goes additional on to elucidate precisely why that is unhealthy on your privateness.

Each 2FA QR code incorporates a secret, or a seed, that’s used to generate the one-time codes. If another person is aware of the key, they’ll generate the identical one-time codes and defeat 2FA protections. So, if there’s ever a knowledge breach or if somebody obtains entry to your Google Account, all your 2FA secrets and techniques could be compromised.

What’s worse, as Mysk factors out, “2FA QR codes sometimes comprise different data reminiscent of account identify and the identify of the service (e.g. Twitter, Amazon, and so forth).” This implies Google can see the net providers you utilize and it may use that data to serve customized adverts. It might be much more troublesome if a cybercriminal gained management over your Google account.

Regardless of the obtrusive safety drawback, at the least it seems the 2FA secrets and techniques saved in a Google account aren’t compromised, in line with Mysk.

Surprisingly, Google knowledge exports don’t embrace the 2FA secrets and techniques which are saved within the consumer’s Google Account. We downloaded all the info related to the Google account we used, and we discovered no traces of the 2FA secrets and techniques.

The safety researchers finish their publish by recommending customers keep away from utilizing the characteristic till Google fixes this drawback. As of this time, Google has but to announce whether or not it should add password safety to this new characteristic.