Wednesday, April 26, 2023

Google Authenticator Adds Syncing

Christiaan Brand (Hacker News, MacRumors):

We are excited to announce an update to Google Authenticator, across both iOS and Android, which adds the ability to safely backup your one-time codes (also known as one-time passwords or OTPs) to your Google Account.

[…]

Since one time codes in Authenticator were only stored on a single device, a loss of that device meant that users lost their ability to sign in to any service on which they’d set up 2FA using Authenticator.

With this update we’re rolling out a solution to this problem, making one time codes more durable by storing them safely in users’ Google Account. This change means users are better protected from lockout and that services can rely on users retaining access, increasing both convenience and security.

I’m not sure why this took so long. Maybe they were working on some way to make sure it’s extra secure, but the announcement doesn’t talk about that.

Mysk (Hacker News):

We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

[…]

Also, 2FA QR codes typically contain other information such as account name and the name of the service (e.g. Twitter, Amazon, etc). Since Google can see all this data, it knows which online services you use, and could potentially use this information for personalized ads.

Surprisingly, Google data exports do not include the 2FA secrets that are stored in the user’s Google Account.

With no backup/syncing from Google Authenticator, I switched from Google Authenticator to 1Password as soon as it supported OTPs, and these days I use Apple’s password manager. But I don’t want to rely on it too heavily, for a variety of reasons, so for important accounts I use it only for OTPs, with the actual passwords in PasswordWallet.

Previously:

Update (2023-04-27): Mysk:

If you have already enabled syncing in Google Authenticator and now changed your mind and want to use the app offline, opting out won’t delete your tokens and their metadata from Google servers.

To remove your data from the cloud and use the app offline, you need to follow these steps[…]

See also: MacRumors.

Update (2023-05-01): Christiaan Brand (via Accidental Tech Podcast):

E2EE is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery.

To make sure we’re offering users a full set of options, we’ve started rolling out optional E2E encryption in some of our products, and we have plans to offer E2EE for Google Authenticator down the line.

Mysk:

This shows that adding end-to-end encryption to Google Authenticator wasn’t planned at all, leaving the data of at least 100M+ users at risk.

Update (2023-08-31): Mysk:

A quick reminder that Google hasn’t updated its Authenticator app to support end-to-end encryption when syncing secrets with Google servers. It has been 4 months since they promised to support e2ee.

3 Comments RSS · Twitter · Mastodon

I like the GA for its simplicity. The app has a bug/feature on iPhone non existent on Android: it let you take a screenshot from the export account QR code. This is how I back it up on iCloud on a encrypted Note.

Google Authenticator has supported backup for quite some time. For at least the last few years, you can tap on a menu to "export" accounts. Select the accounts you want to export and it generates a mammoth QR code which, when scanned by another authentication app (like Authenticator on another device), that device gets all of the settings.

In other words, there was no need to sync anything through any cloud service and hasn't been any such need for several years.

Manually "syncing" this way avoids any possibility of Google's server "accidentally" leaking your data to people who shouldn't have it.

But even though I did not tell Authenticator to sync anything, I'm now worried that they may have done it without my knowledge. Time to get a different app and hope Google isn't retaining all my codes (or maybe time to re-generate them all as well. :( )

I'm super happy with OTP Auth on my iPhone simply because it allows me to organise the different account into folders (I have so many now). Even though the free version offers a lot of feature (E2EE iCloud syncing, password & biometric protection, ...),, I decided to support the developer through the one-time in-app purchase.

Leave a Comment