Google Authenticator will get end-to-end encrypted — eventually. Google Product Manager Christiaan Brand responded to security researchers who criticized the company’s decision not to include it in Authenticator account-syncing upgrade by saying the company “plans” to offer E2EE in the future.
Brand writes: “Right Now, we think that our product is the best balance for users and offers significant benefits over using it offline.” Brand writes, “However the option to use it offline will still remain for those who want to manage their own backup strategy.”
Google Authenticator has finally begun allowing users to sync their two-factor authentication codes to Google accounts. This makes it easier for them to sign in to accounts on different devices.
This is a welcomed change. However, it poses some security issues, since hackers who gain access to someone’s Google Account could gain access to other accounts. If this feature supported E2EE then hackers and third parties including Google would not be able see the information.
Mysk, a security researcher, highlighted some of these risks on Twitter. They noted that “if ever there is a data breach, or if anyone gains access to your Google Account all of your secrets of 2FA would be compromised.” Additionally, they advised users to avoid using the syncing function until E2EE support was available.
Brand reacted to the criticism by stating that, while Google encrypts data in transit and at rest across its products, including Google Authenticator, applying E2EE “allows users to be locked out of their data without recovery.”