Google plans to add end-to-end encryption to Authenticator
Google Authenticator is getting end-to-end encryption — eventually. After security researchers criticized the company for not including it with Authenticator’s account-syncing update, Google product manager Christiaan Brand. responded on Twitter by saying that the company has “plans to offer E2EE” in the future.
“Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use,” Brand writes. However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves.
Earlier this week, Google Authenticator finally started giving users the option to sync two-factor authentication codes with their Google accounts, making it much easier to sign into accounts on new devices.
While this is a welcome change, it also poses some security concerns, as hackers who break into someone’s Google account could potentially gain access to a trove of other accounts as a result. If the feature supported E2EE, hackers and other third parties, including Google, wouldn’t be able to see this information.
Security researchers Mysk highlighted some of these risks in a post on Twitter, noting that “if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.” They added that Google could potentially use the information linked to your accounts to serve personalized ads and also advised users not to use the syncing feature until it supports E2EE.
Brand pushed back against the criticism, stating that while Google encrypts “data in transit, and at rest, across our products, including in Google Authenticator,” applying E2EE comes at the “cost of enabling users to get locked out of their own data without recovery.” There’s still no timeline for when Google will actually bring E2EE to Authenticator’s new account-syncing feature, though, leaving users with the option of using the feature without E2EE or just continuing to use Google Authenticator offline.