Security News > 2023 > May > Google adds account sync for Authenticator, without E2EE

In brief You may have heard news this week that Google is finally updating its authenticator app to add Google account synchronization.

According to the pair, whose discoveries we've covered in the past, this means the seed used to generate 2FA codes is being transmitted without E2EE and is likely visible to Google when stored on its servers.

Because seeds are being synced to a Google account, an account compromise would mean all those second factors are compromised, too.

Christiaan Brand, Google's product manager for identity and security, took to Twitter to reassure users they shouldn't be concerned because "We're always focused on the safety and security of Google users and the newest update to Google Authenticator was no exception."

Brand added that Google is beginning to roll out E2EE in some of its products and has plans to add it to Authenticator in the future, but a Google spokesperson told The Register it didn't have a date to share when that may happen.

Our advice - especially for those that use Google Authenticator for work-related 2FA - would be to take advantage of that offline option.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/05/01/google_adds_account_sync_for/