At the beginning of the week we told you that, finally, Google Authenticator offers the possibility of using the cloud to share our “keys” to access the services that we have configured in it on various devices. This supposes a huge improvement in the company’s solution for key management 2FA, you know, the security system that enforces the access password with a unique login code that must be used in addition to the password. Many services offer various alternatives to this unique key, of which receiving an SMS message is the most popular, but certainly not the most secure.
If you haven’t used Google Authenticator, Authy, or similar apps yet, actually its operation is quite simple. You only have to indicate in the service that you want to protect with this system that you are going to use 2FA (the service in question must support it, of course), indicate that you will use an app of this type, scan a BIDI code from it and, automatically, the app will start generating temporary random codes. Thus, when you want to access the service, all you have to do is enter your credentials and, in a second step, also write the current password that you can see in the app.
The problem with these apps is that if you lose access to them… you also lose access to all the sites where you need to use the temporary keys they generate. However, with the synchronization in the cloud that Google Authenticator already offers since the beginning of the week, this risk is substantially reduced, because in the event of losing access on one device, if you have configured it on another you will continue to have access to the temporary codes. Thus, this is great news that, however, became not so great when it became known that, in In this first implementation of the feature, Google Authenticator Cloud Sync does not employ end-to-end encryption.
This, however, will change in the future because, as we can read in The Verge, Google plans to add end-to-end encryption to Authenticator, and affirms it based on some messages from Christiaan Brand, Google product manager. At the moment, however, there is no specific date (or at least this has not been made public), so we may still have to wait for some time, but it is reassuring to know that its implementation is on the list of pending tasks for the company.
In its current situation, there are many users who prefer not to use Google Authenticator cloud synchronization, which is more than understandable. And in response to these reservations, the app continues to allow its use in the traditional way, that is, the information is kept exclusively local and, therefore, does not pass through Google’s servers at any time.
