Google Authenticator sync doesn’t offer end-to-end encryption of users’ 2FA codes

However, this only applies if you want to turn on the new sync functionality, which you may not need...

Google Authenticator

Google Authenticator, which is used for two-factor authentication (2FA), recently got an update — but it isn’t all that nice as Google would like us to believe.

As part of the update, the app got a sync option for one-time codes, which would allow users to store them in their Google Accounts. The idea makes perfect sense as it would help prevent a situation where a user is locked out of all of their accounts since those one-time codes were previously stored on the device the app was installed on.

However, according to the software company Mysk, users may need to take into consideration that the network traffic generated by the Authenticator app is not end-to-end encrypted. Because of this, a savvy hacker could steal the “secret” or “seed” that is used to generate your 2FA QR code and potentially cause havoc.

Moreover, Mysk mentions 2FA QR codes can sometimes contain other information about you, such as your account name and the name of the service the code is for. In theory, Google could use this information to further personalize ads for you throughout its services. Then, if Google were ever to suffer a data breach, your information could be exposed.

Christiaan Brand, a product manager at Google, thinks there is no reason for concern — adding that there are plans to offer end-to-end encryption later on down the line. He added that Google encrypts your data from all of its apps, including Authenticator when it is “in transit and at rest.”

“Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use,” Brand continues. Furthermore, the inclusion of stronger encryption like E2E could resurface the possibility of users becoming locked out of their accounts.

What we like is that Google Authenticator’s account sync is not mandatory and even if you use it – you will be pretty secure. Still, we like having the option to turn on and off options like these. Now, if we could get a toggle for ad personalization from Google, that would be a blast – don’t you think?