Google Authenticator to get E2EE following complaints it is now less secure
End-to-end encryption for Google Authenticator will be coming… sometime
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
It appears the new2FAaccount cloud-syncing feature inGoogleAuthenticator isn’t end-to-end encrypted, but this feature will be coming at a later date.
Googlerecently updateditsauthenticator appto allow users to back up their saved accounts that require a Time-based One Time Passcode (TOTP) to authenticate their login, meaning that they can now easily transfer them to a new device.
However, security researchers Mysk sent out atweetadvising against turning on this functionality, as it isn’t end-to-end encrypted, meaning that Google or a third-party if the tech giant is breached, could see your codes.
Convenience trade-off
End-to-end encryption is a security and privacy enhancing feature that obfuscates sensitive content so that it can only be decoded with a key, such as a password. For instance, it is the cornerstone of popular messaging app such asWhatsApp, ensuring that content can only ever be seen by the sender and receiver - not even WhatsApp itself can take a peek.
NordPass password manager launches its own 2FA authenticator>Microsoft Authenticator is getting its own password manager>Microsoft 365 users will be able to use Outlook for MFA
Christiaan Brand, Product Manager for identity and Security,defendedthe omission by saying that the tech giant’s “goal is to offer features that protect users, BUT are useful and convenient.”
He added that “We encrypt data in transit, and at rest, across our products, including in Google Authenticator. E2EE… provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery.”
However, he also said that E2EE will be coming to various Google products, including now the authenticator, sometime “down the line”. He noted too that the app can still be used offline without having to sync 2FA accounts to their Google Account.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
If you are using the Google Authenticator, then you may be using it conjunction with the Google Password Manager. While it isn’t our choice as thebest password manager, it does allow for on-device encryption, which means that your own device stores the key internally to unlock access to your vault. Also, Google says that this key is used to “lock your passwords before they’re saved to Google Password Manager”, which means that, like end-to-end encryption, your passwords cannot be seen Google or anyone else but you.
Google does caution, though, that this means that “if you lose the key, you could lose your passwords too.” But this on-device decryption could be part of the push from Google and other big tech firms toditch passwords altogether in favor of passkeys, which they want to be future of credential security.
Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
Your doctor may have an AI assistant taking notes during your next Zoom call
