Skip to main content

Google on why Authenticator sync isn’t E2E encrypted, but option coming later

On Monday, Google Authenticator launched the ability to sync 2FA codes to your Google Account. It has since emerged that the capability isn’t end-to-end encrypted (E2EE), and Google explained why today.

Security researchers at Mysk yesterday were critical that Google Authenticator’s new sync capability is not end-to-end encrypted (E2EE) and, therefore, Google could, theoretically, get and replicate your 2FA codes.

This complaint is valid for those that are very security conscious and don’t trust Google (or a malicious third-party) to not access user data. Those with these concerns want to make it so that nobody but them can access 2FA codes by having it end-to-end encrypted with another key (or passcode) that only they are aware of.

Google today explained that the goal of Authenticator’s new sync feature is to “offer features that protect users, BUT are useful and convenient.” Acknowledging that “E2EE is a powerful feature that provides extra protections,” the downside is that users might “get locked out of their own data without recovery” if they forget or lose their Google Account password (or extra layer of added security).

The Google Password Manager today offers on-device encryption that “turns your device into a key that’s used to lock your passwords before they’re saved to Google Password Manager.” However, “if you lose the key, you could lose your passwords too.”

That being said, Google “plans to offer E2EE for Google Authenticator down the line.” In the meantime, it reminded users that they can continue to use the app offline/without Google Account sync.

The company also added today that it encrypts data in transit and rest for Authenticator and all other Google products. 


On a side note, if you have Google Authenticator set-up on several devices, be careful when updating to the new version and enabling sync. When syncing, Google will not recognize identical codes or automatically merge them. You might end up with many duplicates as a result.

To avoid this, first set-up sync on your main device and then delete every other instance of the Google Authenticator app. As such, when you reinstall the updated app on secondary devices, it will just sync from your main device and not show duplicates.

Kyle Bradshaw contributed to this post

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Abner Li Abner Li

Editor-in-chief. Interested in the minutiae of Google and Alphabet. Tips/talk: abner@9to5g.com

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications