Google's New 2FA Isn't End-to-End Encrypted, Tests Show
upstart writes:
A new two-factor authentication tool from Google isn't end-to-end encrypted, which could expose users to significant security risks, a test by security researchers found.
Google's Authenticator app provides unique codes that website logins may ask for as a second layer of security on top of passwords. On Monday, Google announced a long-awaited feature, which lets you sync Authenticator to a Google account and use it across multiple devices. That's great news, because in the past, you could end up locked out of your account if you lost the phone with the authentication app installed.
But when app developers and security researchers at the software company Mysk took a look under the hood, they found the underlying data isn't end-to-end encrypted.
[...] When Mysk and his partner Talal Haj Bakry analyzed the network traffic as the app synced with Google servers, they found the data is not not end-to-end encrypted."This means that Google can see the secrets, likely even while they're stored on their servers," the Mysk team wrote on Twitter. In the security community, "secrets" is the term for credentials that work as a key to unlock an account or a tool.
You can use Google Authenticator without tying it to your Google account or syncing it across devices, which avoids this issue. Unfortunately, that means it might be best to avoid a useful feature that users spent years clamoring for. "The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy," Mysk wrote. "We recommend using the app without the new syncing feature for now."
Read more of this story at SoylentNews.