Security News > 2023 > April > Google leaking 2FA secrets – researchers advise against new “account sync” feature for now
The Google Authenticator 2FA app has featured strongly in cybersecurity news stories lately, with Google adding a feature to let you backup your 2FA data into the cloud and then restore it onto other devices.
The six-digit codes commonly generated by 2FA apps get calculated right on your phone, not on your laptop; they're based on a "Seed" or "Starting key" that's stored on your phone; and they're protected by the lock code on your phone, not by any passwords you routinely type in on your laptop.
Of course, this "Solution" brings with it a problem of its own, namely: how do you back up those all-important 2FA "Seeds" in case you lose your phone, or buy a new one and want to switch over to it?
Most online services require you to set up a 2FA code sequence for a new account by entering a 20-byte string of random data, which means laboriously typing in either 40 hexadecimal characters, one for every half-byte, or by carefully entering 32 characters in base-32 encoding, which uses the characters A to Z and the six digits 234567.
Well, Google Authenticator recently, if belatedly, decided to start offering a 2FA "Account sync" service so that you can back your 2FA code sequences up into the cloud, and later restore them to a new device, for example if you lose or replace your phone.
Your 2FA account details, including seeds, were unencrypted inside their HTTPS network packets.