The Google Authenticator isn't end-to-end encrypted, new tests show. This means that this security tool is not spared from security risks, and it might expose your personal information to outside attacks.
Google Authenticator App Is Not End-to-End Encrypted
Early tests show that Google's Authenticator app can expose users to security risks because it's not end-to-end encrypted.
According to a report by Gizmodo, software firm Mysk conducted tests where security researchers and developers experimented if the two-factor authenticator was safe enough for the users.
"We tested the feature as soon as Google released it. We realized that the app didn't prompt or offer an option to use a passphrase to protect the secrets," the company posted on Twitter.
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
— Mysk 🇨🇦🇩🇪 (@mysk_co) April 26, 2023
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.… pic.twitter.com/a8hhelupZR
The experts also added that the traffic in the app is not end-to-end encrypted. Mysk shared the screenshots, which show that Google most likely knows your confidential information if they are stored on the servers.
To solve the issue, you can unlink your Google account to the Google Authenticator if you have doubts about it not being end-to-end encrypted.
Mysk also said that although the 2FA method is deemed to be useful when using different devices, the user is exposing his/her privacy when using it. Because of this, the company is not recommending that users sync their accounts to the app anymore.
Related Article: Google Authenticator to Sync to Your Google Account in Case Your Device Gets Stolen
The Danger Behind Google Authenticator
Mashable reported this week that Google Authenticator codes can now be stored in the cloud, which gives users more options to store them in a different place as long as the Google Account is linked.
The search engine giant said that this update solved the long-time flaw on the one-time codes that have been bugging the users.
Of course, the feature is optional, and you have all the means to store it locally if you wish.
While syncing the 2FA secrets is very handy, the Mysk researchers found that they would leak once the Google Servers are compromised.
What's worse, the threat actor could know the other information connected to your account, including the account name and its associated app.
It's very risky, especially for a content creator or an activist who usually has many Twitter accounts with no exact identity.
As per Tommy Mysk, you shouldn't be worried about the hackers alone since Google staff can gain access to your data without permission.
Tommy adds that it's not a good thing to miss the encryption on an authenticator tool. This also means that Google will have more control over the targeted ads it wants to show to a particular audience.
Mysk expects that Google will treat 2FA secrets the same way as passwords. In short, everything associated with sensitive data should be treated with extreme confidentiality and caution.
If you want to know more about Google Authenticator, you can click this link to see its app requirements, how to set it up, and more.
Read Also: Proton Launches New Beta Password Manager With 'More Complete Encryption Model'
