A new two-factor authentication tool from Google isn’t end-to-end encrypted, which could expose users to significant security risks, a test by security researchers found.
Google’s Authenticator app provides unique codes that website logins may ask for as a second layer of security on top of passwords. On Monday, Google announced a long-awaited feature, which lets you sync Authenticator to a Google account and use it across multiple devices. That’s great news, because in the past, you could end up locked out of your account if you lost the phone with the authentication app installed.
But when app developers and security researchers at the software company Mysk took a look under the hood, they found the underlying data isn’t end-to-end encrypted.
“We tested the feature as soon as Google released it. We realized that the app didn’t prompt or offer an option to use a passphrase to protect the secrets,” said Tommy Mysk, one of the researchers who uncovered the problem, in a conversation with Gizmodo.
When Mysk and his partner Talal Haj Bakry analyzed the network traffic as the app synced with Google servers, they found the data is not not end-to-end encrypted.“This means that Google can see the secrets, likely even while they’re stored on their servers,” the Mysk team wrote on Twitter. In the security community, “secrets” is the term for credentials that work as a key to unlock an account or a tool.
You can use Google Authenticator without tying it to your Google account or syncing it across devices, which avoids this issue. Unfortunately, that means it might be best to avoid a useful feature that users spent years clamoring for. “The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy,” Mysk wrote. “We recommend using the app without the new syncing feature for now.”
The tests found the unencrypted traffic contains a “seed” that’s used to generate the two-factor authentication codes. According to Mysk, anyone with access to that seed can generate their own codes for your accounts and break in.
“If Google servers were compromised, secrets would leak,” Mysk said. Adding insult to injury, QR codes involved with setting up two-factor authentication also contain the name of the account or service (Amazon or Twitter, for example). “The attacker can also know which accounts you have. This is particularly risky if you’re an activist and run other Twitter accounts anonymously.”
But it’s not just cyber criminals you need to worry about. “Google or Google staff can access this data,” Mysk said.
Google acknowledged that the data is not end-to-end encrypted, but said the security feature is coming at some point.
“End-to-End Encryption (E2EE) is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery,” said Christiaan Brand, group product manager at Google. “To ensure that we’re offering a full set of options for users, we have also begun rolling out optional E2EE in some of our products, and we plan to offer E2EE for Google Authenticator in the future.” Braand posted a Twitter thread with more details.
The lack of encryption means Google could in theory look at the data and learn what apps and services you use, which can be valuable for a number of purposes, including targeted ads. “Allowing a tech giant thirsty for data like Google to establish a graph of all accounts and services each user has is not a good thing,” Mysk said.
The issue comes as a surprise, given Google’s history with similar tools. Google has a vaguely similar feature that lets you sync data from Google Chrome across devices. There, the company gives users the option to set up a password to protect that data, keeping it away from prying eyes at Google and protecting it from anyone else who might intercept it.
“2FA secrets are considered sensitive data, just like passwords. Google already supports passphrases for syncing Chrome data. So we expected that 2FA secrets be treated the same,” Mysk said.
Update, Apr. 26, 3:45 pm EST: This story has been updated with a comment from Google.