A new two-factor authentication tool from Google isn't end-to-end encrypted, which could expose users to significant security risks, a test by security researchers found.
Google's Authenticator app provides unique codes that website logins may ask for as a second layer of security on top of passwords. On Monday, Google announced a long-awaited feature, which lets you sync Authenticator to a Google account and use it across multiple devices. That's great news, because in the past, you could end up locked out of your account if you lost the phone with the authentication app installed.
But when app developers and security researchers at the software company Mysk took a look under the hood, they found the underlying data isn't end-to-end encrypted.
[...] When Mysk and his partner Talal Haj Bakry analyzed the network traffic as the app synced with Google servers, they found the data is not not end-to-end encrypted."This means that Google can see the secrets, likely even while they're stored on their servers," the Mysk team wrote on Twitter. In the security community, "secrets" is the term for credentials that work as a key to unlock an account or a tool.
You can use Google Authenticator without tying it to your Google account or syncing it across devices, which avoids this issue. Unfortunately, that means it might be best to avoid a useful feature that users spent years clamoring for. "The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy," Mysk wrote. "We recommend using the app without the new syncing feature for now."
[...] The lack of encryption means Google could in theory look at the data and learn what apps and services you use, which can be valuable for a number of purposes, including targeted ads. "Allowing a tech giant thirsty for data like Google to establish a graph of all accounts and services each user has is not a good thing," Mysk said.
The issue comes as a surprise, given Google's history with similar tools. Google has a vaguely similar feature that lets you sync data from Google Chrome across devices. There, the company gives users the option to set up a password to protect that data, keeping it away from prying eyes at Google and protecting it from anyone else who might intercept it.
"2FA secrets are considered sensitive data, just like passwords. Google already supports passphrases for syncing Chrome data. So we expected that 2FA secrets be treated the same," Mysk said.
(Score: 3, Interesting) by darkfeline on Friday April 28, @09:34AM
Wow, where to even begin?
1. I don't recall them promising that this is E2E encrypted.
2. The target userbase for this wouldn't know or care that it is E2E encrypted, and in fact that would only lead to the average user getting locked out.
3. Google Authenticator isn't FOSS AFAIK so if you don't trust Google you're fucked with or without E2E. So you literally gain nothing.
4. TOTP is not only not "real" 2FA, but when you sync it, you are throwing the 2FA out the window. Missing E2E is not increasing your security posture.
Protip: get two yubikey-equivalents, register both, stick one in a safe. If a site only supports TOTP, store it in your key.
Join the SDF Public Access UNIX System today!
(Score: 3, Interesting) by VLM on Friday April 28, @11:29AM
At a protocol level, how would anyone propose someone do a restore that's E2E encrypted?
Remember, you can't use a password because the entire point was not to use passwords anymore.
On the other hand, the guy is correct, the only reason to sync auth across devices is to make sure the cops have access without your knowledge or permission. Thats the entire point of "authenticator apps" as a technology, to remove privacy from the masses.