Don’t use the new Google Authenticator feature, send all your codes unencrypted

Many users have been relying on Google Authenticator to generate temporary one-time use codes from their smartphones. One of the weaknesses of this app is that they are always stored locally in the terminal, so if we change the terminal we will have to start a long and tedious process of disabling 2FA and re-enabling it by capturing the QR code on another terminal, until now.

Synchronization of codes in Google Authenticator

Google has launched a few days ago the most important update that is remembered in the app Google Authenticator. Until then, the storage of 2FA codes was solely and exclusively local, so we could not make a backup or access all of them from the Cloud. In case of changing mobile, it was necessary to regenerate the 2FA codes in each and every one of the accounts. In case of loss or theft of the terminal, we had to carry out a long process of deactivating this protection through emails with the main account.

For this reason, many users have always trusted Latch or applications such as Authy that allow us to perform a backup and synchronization in the cloud, with the aim that changing mobile devices is as easy as logging into the new one, and We will already have all the 2FA codes at our disposal. This synchronization functionality has been requested for many years, and it is only now that it has arrived, but it is not well implemented in the application.

Sending all 2FA codes unencrypted

According to Mysk, a development and cybersecurity company, they have detected that Google Authenticator is sending all the codes stored in the terminal to Google servers without any type of protection, that is, it is not encrypting the sending of this data to have privacy and security. The Mysk team has analyzed the network traffic when the application is synchronizing these “keys” or also called “secrets”, and they have led to the conclusion that all data is not being encrypted end-to-end. This means several things:

• Google can see all the secrets of the different services that we upload, it is even possible that they can see them while they are stored on their servers.
• There is no possibility to add a password to protect these “secrets”, so that only we can access them and no one else.

This Google Authenticator behavior is catastrophic. Each QR code that we scan with the mobile terminal carries a “secret” or also known as a “token” which is used to generate temporary single-use codes. If someone knows this token, they could generate exactly the same codes as us, being able to bypass the second factor of authentication without any problem.

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.

TL;DR: Don't turn it on.

The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.… pic.twitter.com/a8hhelupZR

— Mysk 🇨🇦🇩🇪 (@mysk_co) April 26, 2023

If someone is able to hack our Google account through different techniques, they could access each and every token stored in our account and access the second factor of authentication of each and every service. We must take into account that, when we register a 2FA service in Google Authenticator, we incorporate a descriptive name of what service it is, to later access it and see the one-time temporary code. Another important aspect is that Google itself will be able to see all the services that we are using with the second authentication factor, that is, we are providing much more information than we initially believe.

As you can see, although this functionality is super important, right now we do not recommend using it until the necessary security measures are added to protect your tokens, both from Google and from any hacker who could hack your Google account.