Google Authenticator's new feature is not encrypted (Update: Google explains)

Update, April 26, 2023 (03:29 PM ET): Christiaan Brand — who holds the title of Product Manager: Identity and Security at Google — took to Twitter to explain the news story below. His statement (broken up over four tweets) is reposted here for clarity:

We’re always focused on the safety and security of Google users, and the newest updates to Google Authenticator was no exception. Our goal is to offer features that protect users, BUT are useful and convenient. We encrypt data in transit, and at rest, across our products, including in Google Authenticator. E2EE [end-to-end encryption] is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery. To make sure we’re offering users a full set of options, we’ve started rolling out optional E2E encryption in some of our products, and we have plans to offer E2EE for Google Authenticator down the line. Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use. However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves.

Original article, April 26, 2023 (12:45 PM ET): Earlier this week, Google introduced a new feature to its 2FA Authenticator app. The new feature allows the app to sync to a Google account, allowing Google Authenticator codes to be used on different devices. Now security researchers are saying to avoid the feature for now.

On Twitter, security researchers at the software company Mysk revealed that they tested the Authenticator app’s new feature. After analyzing the network traffic when the app syncs to another device, they found the traffic was not end-to-end encrypted.

We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

The term “secrets” is security community jargon for credentials. So they’re saying that Google employees can see the credentials you use to log into accounts.

The software company goes further on to explain exactly why this is bad for your privacy.

Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.

What’s worse, as Mysk points out, “2FA QR codes typically contain other information such as account name and the name of the service (e.g. Twitter, Amazon, etc).” This means Google can see the online services you use and it could use that information to serve personalized ads. It would be even more troublesome if a cybercriminal gained control over your Google account.

Despite the glaring security problem, at least it appears the 2FA secrets stored in a Google account aren’t compromised, according to Mysk.

Surprisingly, Google data exports do not include the 2FA secrets that are stored in the user’s Google Account. We downloaded all the data associated with the Google account we used, and we found no traces of the 2FA secrets.

The security researchers end their post by recommending users avoid using the feature until Google fixes this problem. As of this time, Google has yet to announce whether it will add password protection to this new feature.