Security News > 2023 > April > Google’s 2FA app update lacks end-to-end encryption, researchers find

On April 25, security researchers Tommy Mysk and Talal Haj Bakry, who are known collectively on Twitter as Mysk, warned users of Google's Authenticator 2FA app to not turn on a new syncing feature.

The change came about when Google enabled its 2FA Authenticator app to sync credentials across different devices.

Each "Secret" within 2FA QR codes is used to generate a unique code; when the Authenticator app syncs secrets between devices, they are sent in a format that Google or attackers can see.

If someone acquires your Google Account through either a data breach or another means, they could find the 2FA secrets that unlock the account's protections.

The lack of end-to-end encryption also means Google has a transparent view into what services each account owner uses; this is information Google could use to target personalized ads.

On Twitter, Mysk wrote: "The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy. Fortunately, Google Authenticator still offers the option to use the app without signing in or syncing secrets. We recommend using the app without the new syncing feature for now."

News URL

https://www.techrepublic.com/article/security-vulnerability-google-2fa/