Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
Why is this bad?
Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵
.... if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.
Also, 2FA QR codes typically contain other information such as account name and the name of the service (e.g. Twitter, Amazon, etc). Since Google can see all this data, it knows which online services you use, and could potentially use this information for personalized ads.
Surprisingly, Google data exports do not include the 2FA secrets that are stored in the user's Google Account. We downloaded all the data associated with the Google account we used, and we found no traces of the 2FA secrets.
The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy. Fortunately, Google Authenticator still offers the option to use the app without signing in or syncing secrets. We recommend using the app without the new syncing feature for now.
@jomo@mysk It is perfectly possible Google, or anyone else, to implement syncing without letting themselves see the data. This is not a "well, duh!" situation.
And given authentication is a very security-sensitive field we should be able to expect more from Google here!
@alcinnz@jomo@mysk In order to be able to encrypt stuff you need a key of some sort. If the app doesn't ask for a key, then sure, yes, it's a well duh situation.
The same applies to their password manager which is also not E2EE. They store passwords encrypted with an online key they control lol.
To be fair, storing passwords unencrypted in your Google account is usually not much of an issue because you can just request password reset emails to the Gmail anyway if you pwned the account.
@ombremad@mysk yes, and I'm all for encrypting all the things. It's just that no one would reasonably expect Google to do this. They also don't encrypt your cloud storage or your emails in gmail. And AFAIK they also store all your Wi-Fi passwords on Android by default. So it's just nothing new, really.
@jomo@mysk what is « reasonable », who is this « everyone » you’re the spokesperson of? Of course Google has a duty to encrypt passwords and sensible data such as 2FA. They’re not above the good practices or even the laws.
@ombremad@mysk they have a business interest in not encrypting your data and they don't care about moral duties or the law. No reasonably thinking person should be surprised by that in 2023.
@jomo@mysk again, stop trying to make yourself spokesperson of the « reasonable people ». Their business interest might be tightly bound to EU laws and possible sanctions there, but what do I know, I’m obviously not reasonable.
@ombremad@mysk They have a track record of not encrypting things, so I don't think it's unfair to call it unreasonable to be surprised by them not encrypting the next thing.
Regarding the EU laws and fines, they have paid those a few times already. I'm pretty sure their lawyers did see that coming before, but they must have determined that paying the pocket money of a fine is cheaper than following the law. No one is going to jail, unfortunately.
@jomo@ombremad@mysk Google has a track record of encrypting data between all their data centers etc.
That said, to answer the question of @ijk64 if we assume this isn’t deliberate, Google’s HR and technical policies, for the former the incentive structure is very messed up. The very best thing you can do to get promoted and thus earn more money is to launch a new product. Maintaining the really big stuff like GMail appears to be “OK” for your career. New features or maintenance on something considered to be inconsequential to the company like Google Authenticator is very much not. So that’s not going to get their best talent.
And their monorepo means all their systems constantly rot, so they need constant maintenance to keep working; compare to the Bezos top down command to Amazon to make everything work like a service with a defined API; he didn’t care how you did this, just that you did or you’d be fired.
Thus Google Reader had to be killed to make Google+ without investing the effort to keep the former working, the many tombstones in Google graveyards (search on those words…), and why ventures like Stadia are doomed at launch because too few trust Google to keep them going.
@jomo@mysk WAY too many people don't think the way we do. I would never do that just on principle, but they pay me to be a paranoid BOFH, and I don't put that habit away when quittin' time comes around.
I agree, giving Google more info than is necessary is unthinkable... but this implies the think... and thereby hangs a tail... [stet]
@mysk I've been sharing this post like crazy in the past month. Do you have this published somewhere where the link would be more stable than Mastodon?
@mysk that’s nasty. I use Microsoft Authenticator here and I wonder if they encrypt their data when syncing and backing up across devices; otherwise I’m turning it off there as well.
Was using Google Authenticator for a few accounts but migrated all of them to Microsoft Authenticator; if Microsoft screws this up as well I might need to migrate again to something else entirely.
Thank you for the heads up, I hope this is not a simple oversight, but given big techs reputation, I suspect there is more behind this, esp as government want access to this info.
@kirsch But be aware that storing 2FA in the same place as your passwords does break tge security it comes with... If your 1password safe get's hacked/leaked, nothing prevents an attacker to use your credentials. When having 2FA only on your phone, you are safe even when your 1password safe is hacked
@bahuma20@kirsch I have all my 2FA in 1Password except the 1Password-specific one. I store that one in Microsoft Authenticator. This means that, at the very least, you will need a authenticated client and the master password to do damage. It’s a good compromise between convenience and security, imo.
@yaitorr Good solution, but still doesn't prevent you from a virus on your computer that steals credentials once you are logged in to the 1password application.
@mookie@mysk i understand that authy uses a ,'master password' to encrypt the secrets, so it seems like a better situation. But no promises about what their encryption is like i guess.
@CodexArcanum@mysk Authy is nice but causes vendor lockin. It doesn't allow you to re-export your enrollments and requires you to re-enroll on every single website. I've recently migrated away from it and it was a huge PITA.
Add comment