- Google recently updated its two-factor authentication app to add a cross-device sync feature.
- Analysis of the privacy update revealed that the sync process is not end-to-end encrypted.
- Cybersecurity experts have asked users to exercise caution as the new feature may not be completely secure.
Google’s recent update for its two-factor authentication app introduced a widely demanded feature where users can synchronize secrets across multiple devices. However, a thorough analysis of the privacy update revealed that the secrets were not completely encrypted and Google has the ability to see the secrets.
Cybersecurity duo Mysk took to Twitter earlier today to share the results of their analysis of Google’s new privacy update. According to the security researchers, the network traffic when the app syncs the secrets is not end-to-end encrypted. This essentially means that Google can see the secrets, even when they’re stored on its servers.
While the update allows users to sign in with their Google Account and sync two-factor authentication secrets across their iOS and Android devices, the secrets are technically vulnerable. If a malicious actor manages to gain access to the secret, it will be relatively easy to generate a one-time OTP and beat the two-factor authentication measures in place.
In addition to that, 2FA QR codes usually contain other information including the account name and name of the service. Since Google has access to the secrets, it can potentially use private information for its benefit to display personalized advertisements.
The cybersecurity experts also found that when a user exports his/her data from Google, the two-factor authentication secrets stored in the user’s account are not included in the exported data. Mysk has recommended users to exercise caution while dealing with the new privacy update.
“The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy. Fortunately, Google Authenticator still offers the option to use the app without signing in or syncing secrets,” Mysk tweeted.