new Two-factor authentication tool from Google is not end-to-end encrypted, which can expose users to significant security risks, according to a test by security researchers.
Google Authenticator provides unique codes that website logins may request as a second layer of security on top of passwords. On Monday, Google announced a long-awaited feature, which allows you to sync your Authenticator with your Google account and use it across multiple devices. This is great news, because in the past, you could have ended up getting locked out of your account if you lost the phone with the authenticator app installed.
But when app developers and security researchers at software company Mysk took a look under the hood, they found that the underlying data wasn’t end-to-end encrypted.
“We tested the feature as soon as it was released by Google. We realized that the app didn’t prompt or offer an option to use a passphrase to protect secrets,” Tommy Misk, one of the researchers who discovered the issue, said in a conversation with Gizmodo.
For sale now
Two of our favorite VPNs
Protect your private data
We share and access a lot of private data every day which can cause some big problems if that information falls into the wrong hands.
When Misk and his partner, Talal Haj Bakri, analyzed network traffic while the app was syncing with Google’s servers, they found that the data was not end-to-end encrypted. This means that Google can see the secrets, potentially even while they are stored on their servers. Twitter. In the security community, “secrets” is a term given to credentials that serve as the key to unlocking an account or tool.
You can use Google Authenticator without linking it to your Google account or syncing it across devices, which avoids this problem. Unfortunately, this means that it might be best to avoid the useful feature that users have spent years clamoring for. “Bottom line: Although syncing two-factor authentication secrets across devices is convenient, it comes at a cost to your privacy,” Misk wrote. We recommend using the app without the new sync feature at this time.
Tests found that unencrypted traffic contains a “head start” that is used to generate two-factor authentication tokens. According to Mysk, anyone with access to this seed can generate their own codes for your accounts and hack.
“If Google’s servers are hacked, secrets will leak out,” Misk said. Adding insult to injury, the QR codes included with setting up two-factor authentication also contain the name of the account or service (Amazon or Twitter, for example). “The attacker could also see what accounts you have. This is especially risky if you are an activist and manage other accounts on Twitter without revealing your identity.”
But you don’t just have to worry about cybercriminals. “Employees of Google or Google can access this data,” Misk said.
Google acknowledged that the data is not end-to-end encrypted, but said that the security feature is coming at some point.
“End-to-end encryption (E2EE) is a powerful feature that provides additional protection, but at the cost of enabling users to block their private data without recovery,” said Christian Brand, group product manager at Google. “To ensure that we offer a full range of options for users, we have also begun rolling out optional E2EE in some of our products, and we plan to offer E2EE for Google Authenticator in the future.” Braand published a Twitter topic In more detail.
The lack of encryption means that Google could theoretically look at the data and see what apps and services you’re using, which can be valuable for a number of purposes, including targeted advertising. “Allowing a data-hungry tech giant like Google to build a graph of all the accounts and services each user has is not a good thing,” Misk said.
The problem comes as a surprise, given Google’s history with similar tools. Google has a vaguely similar feature that allows you to sync data from Google Chrome across devices. There, the company offers users Password setting option To protect that data from prying eyes at Google and from anyone else who might intercept it.
Two-factor authentication secrets are sensitive data, just like passwords. Google already supports passphrases for Chrome data syncing. So we expected two-factor authentication secrets to be handled the same way.
Update, April 26, 3:45 PM EST: This story has been updated with a comment from Google.