Skip to content

Google Authenticator's Privacy Update Raises Security Concerns

Google recently updated its two-factor authentication app, adding a cross-device sync feature. However, analysis of the privacy update revealed that the sync process is not end-to-end encrypted, causing cybersecurity experts to advise users to exercise caution.

Google building
Google building

Google Can Access Unencrypted Secrets

Cybersecurity researchers Mysk shared their analysis of Google's privacy update on Twitter, revealing that network traffic during the app's sync process is not end-to-end encrypted. This means that Google can access the secrets, even when stored on its servers.

Vulnerability to Malicious Actors

The update enables users to sync their two-factor authentication secrets across iOS and Android devices, but these secrets are potentially vulnerable. If a malicious actor gains access to a secret, they could easily generate a one-time OTP and bypass the two-factor authentication measures.

Private Information and Personalized Ads

2FA QR codes often contain additional information, such as account and service names. As Google can access these secrets, the company could use this private information to display personalized advertisements.

Exported Data Excludes 2FA Secrets

The cybersecurity experts also discovered that when users export their data from Google, the two-factor authentication secrets stored in their accounts are not included in the exported data. Mysk recommends that users exercise caution with the new privacy update.

Balancing Convenience and Privacy

Musk tweeted, "The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy. Fortunately, Google Authenticator still offers the option to use the app without signing in or syncing secrets."