Google Authenticator Will Get End-to-End Encryption

Google confirmed that its recently updated Google Authenticator app will gain end-to-end encryption capabilities for its account syncing feature.

“We’re always focused on the safety and security of Google users, and the newest updates to Google Authenticator was no exception,” Google’s Christiaan Brand tweeted. “Our goal is to offer features that protect users, but are useful and convenient. We encrypt data in transit, and at rest, across our products, including in Google Authenticator. E2EE is a powerful feature that provides extra protection, but at the cost of enabling users to get locked out of their own data without recovery … [But] we have plans to offer E2EE for Google Authenticator down the line. Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use. However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves.”

Google announced a rare major update to its Authenticator app just days ago, adding Google account one-time code syncing capabilities and a new icon. But security researchers at Mysk said that this sync is not end-to-end encrypted (E2EE), meaning that Google could theoretically access customers’ codes.

” Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices,” the firm tweeted. “Don’t turn it on. We analyzed the network traffic when the app syncs the secrets [the seeds used to generate the one-time codes], and it turns out the traffic is not end-to-end encrypted. This means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.”

Those who are concerned about this can continue to use Google Authenticator as before, without signing in or syncing.