Google’s New Cloud-Based Authentication Is Not Yet End-to-End Encrypted

Google’s new cloud-based authentication is not yet end-to-end encrypted. The company says that an option to make it end-to-end encrypted is on the way.

Google’s New Cloud-Based Authentication

Google’s New Cloud-Based Authentication

The Google Authenticator app, which as you should know was recently updated in the early parts of this week to allow for cloud-based two-factor authentication (2FA) through your Google account, isn’t end-to-end encrypted, as per software company Mysk.

“We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted,” Mysk said via Twitter, as reported by Gizmodo in the early parts of Wednesday. “As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets.”

Users Are Recommended To Not Turn On the Ability to Sync 2FA Codes across Devices

Security researchers down at Mysk are now recommending people not turn on the ability to sync 2FA codes across devices as well as the cloud.

The long-awaited 2FA feature lets users to still access their codes in the event that their phone is lost or stolen. This simply means that Gmail, banking apps, or even the plethora of other services that lets for 2FA can still have codes accessed through your Google account even when your original device is not available immediately. Enabling the feature, unfortunately, lacks the same level of encryption, well, at least for the moment.

What Google Has To Say about the New Development

“End-to-End Encryption (E2EE) is a powerful feature that provides extra protections but at the cost of enabling users to get locked out of their own data without recovery,” a Google spokesperson revealed to CNET via email. “To ensure that we’re offering a full set of options for users, we have also begun rolling out optional E2EE in some of our products, and we plan to offer E2EE for Google Authenticator in the future.”

Google has stated that it offered the feature in this initial way for convenience.

The Importance of 2FA

2FA as you already know gives users an extra layer of security on top of their passwords. The additional code that is generated via the Authenticator app can stop bad actors from logging into your account with your password only. For Big Tech, on the other hand, passwords are ultimately a vulnerable as well as an ineffective way of keeping accounts safe and secure.

The FIDO Alliance  

Google, Apple, and Microsoft have all banded together in the FIDO Alliance, which is short for “fast identity online.” The goal here is to have websites forego passwords simply for biometric login instead. This, as you should know can include fingerprint scans or even face scans. It also can be inclusive of phone verification. Switching websites over to a “passwordless future” will ultimately take time, and, 2FA until then, will remain a major and important medium to keep accounts safe.



Please enter your comment!
Please enter your name here