This week, there was widespread excitement as Google Authenticator added a new function to save 2FA data in the Google Cloud, making it easier to restore on Android or iOS devices. This is great news for those who are worried about losing their data or have previously lost a smartphone. However, there are some privacy concerns that need to be considered.
According to security researchers at Mysk, the new option raises several privacy concerns as the data is not end-to-end encrypted. This means that Google could potentially view and store the “secrets” (seed 2FA) on its servers without adequate security measures in place to protect this information.
This is concerning because each 2FA QR code contains a secret that is used to generate one-time-use 2FA codes. If someone with malicious intent gains access to this secret, they can bypass the 2FA protection easily.
Here is an illustrated drama in 3 acts:
While I have no doubt about the security of the servers at Google, we all know that even the most prepared companies can experience data leaks.
Furthermore, when backing up data to the Google Cloud, additional information such as the name of the account and the name of the service is also included, and Google can access it in clear text. This means that they have access to information about the online services that you use, which could potentially be used for personalized advertising.
It is also worth noting that if you ask Google to export your personal data, you will not find any trace of the 2FA secrets saved in the Google Cloud. This creates some uncertainty about the whereabouts of this sensitive information.
In summary, there are some concerns regarding the security and privacy of the data saved in the Google Cloud. While the convenience of the new function is tempting, users should carefully consider the potential risks to their privacy and security.
The security researchers recommend disabling this synchronization feature until end-to-end encryption is implemented, with a passphrase or similar security measure.
In any case, now that you are aware of the potential risks, it is important to take appropriate measures to protect your online accounts and data. Remember, prevention is better than cure.
