Tag: Google Authenticator

Google Authenticator to get end-to-end encryption ‘down the line’

Post author By Mobile Syrup
Post date 27 April 2023

On Wednesday, April 26th, we shared how Google’s Authenticator application was discovered to not offer end-to-end encryption (E2EE). Earlier this week, Google announced that users would now be able to sync Authenticator to a Google account and use it across multiple devices.

Now, Google product manager Christiaan Brand has responded to criticism from security researchers. He said, “we have plans to offer E2EE for Google Authenticator down the line.”

(3/4) To make sure we’re offering users a full set of options, we’ve started rolling out optional E2E encryption in some of our products, and we have plans to offer E2EE for Google Authenticator down the line.

— Christiaan Brand (@christiaanbrand) April 26, 2023

With the Authenticator app synced to Google Accounts, users can easily sign into their accounts on new devices. Although this feature is a welcome addition, it raises security concerns, as hackers who breach a user’s Google account could gain access to numerous other accounts through the Authenticator app. If the new update featured E2EE, hackers and third parties, including Google, would not be able to see this sensitive information.

Brand added that while E2EE is a powerful feature, it comes at a cost. Google encrypts “data in transit, and at rest, across our products, including in Google Authenticator,” adding E2EE would come at the “cost of enabling users to get locked out of their own data without recovery.”

It is currently unknown when Google will offer E2EE for the Authenticator app.

Image credit: Shutterstock

Source: @christiaanbrand Via: The Verge

Tags Google, Google Authenticator

Mobile Syrup

Google Authenticator doesn’t feature end-to-end encryption

Post author By Mobile Syrup
Post date 27 April 2023

Google’s new two-factor authentication tool has been discovered not to offer end-to-end encryption, which could lead to security risks.

The Authenticator app works by providing unique codes for websites required as a second layer of protection on top of user passwords. Earlier this week, Google announced that users would now be able to sync Authenticator to a Google account and use it across multiple devices. This move from the tech giant eliminates the risk of being locked out of your account via a misplaced phone.

However, when security researchers and app developers for the software company Mysk dug deeper into the change, they noticed that the underlying data wasn’t end-to-end encrypted. The company would go on to explain on Twitter that Google is able to see ‘secrets’ likely even while they’re stored on their servers. The word ‘secrets’ in the world of security is used to describe credentials that work as a key to unlock an account or a tool.

This opens up the possibility for Google to get a glimpse at users’ apps and data for the purpose of targeted ads.

The full tweet from Mysk detailing its concern can be found below:

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.

TL;DR: Don't turn it on.

The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.… pic.twitter.com/a8hhelupZR

— Mysk 🇨🇦🇩🇪 (@mysk_co) April 26, 2023

Users can use Authenticator without connecting it to their Google account or by syncing it across other devices as a means to bypass the issue. The downside of this is that it effectively renders the newest update useless.

Google might not be the only one who can see your data. The tests conducted found that unencrypted traffic contains a seed that generates the two-factor authentication codes, and according to researcher Tommy Mysk, anyone with that seed can generate codes that can be used to breach your account.

The discovery is concerning, considering the company has taken steps with similar tools to prevent data spying.

Google has yet to comment on the issue and has not announced plans to add password protection to Authenticator.

Image credit: Google

Source: @mysk_co Via: Gizmodo

Tags end-to-end encryption, Google, Google Authenticator, Mysk

Mobile Syrup

Google Authenticator to begin syncing one-time codes in the cloud

Post author By Mobile Syrup
Post date 24 April 2023

A new update to Authenticator for Android and iOS allows for backups of codes in your Google account to be stored, meaning users won’t be locked out indefinitely if they lose a device with stored codes. Users will no longer have to reauthorize their linked apps if they get a new phone.

The latest version of Authenticator will let users follow prompts to sign into Google and enable syncing. The company says, “If you set up 2-Step Verification, you can use the Google Authenticator app to generate codes. You can still generate codes without internet connection or mobile service.”

The update also features a new logo for the app.

Despite adding passkey support in Android and Chrome, Google still understands that one-time codes are sometimes necessary for people looking to get back into their accounts. Thankfully, the new update to the app may encourage users to opt for two-factor authentication for increased protection of their devices.

Google joins companies like Microsoft, which has its own cloud backup in Microsoft Authenticator.

For more Google news, read about how the company may soon offer new AI tools in its ad program.

Header image credit: Google

Source: Google Via: Engadget

Tags 2 step verification, Apps and software, Authenticator, Google, Google Authenticator