Google Plans To Add End-To-End Encryption To Authenticator (theverge.com) 24
After security researchers criticized Google for not including end-to-end encryption with Authenticator's account-syncing update, the company announced "plans to offer E2EE" in the future. "Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use," writes Google product manager Christiaan Brand on Twitter. "However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves." The Verge reports: Earlier this week, Google Authenticator finally started giving users the option to sync two-factor authentication codes with their Google accounts, making it much easier to sign into accounts on new devices. While this is a welcome change, it also poses some security concerns, as hackers who break into someone's Google account could potentially gain access to a trove of other accounts as a result. If the feature supported E2EE, hackers and other third parties, including Google, wouldn't be able to see this information.
Security researchers Mysk highlighted some of these risks in a post on Twitter, noting that "if there's ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised." They added that Google could potentially use the information linked to your accounts to serve personalized ads and also advised users not to use the syncing feature until it supports E2EE. Brand pushed back against the criticism, stating that while Google encrypts "data in transit, and at rest, across our products, including in Google Authenticator," applying E2EE comes at the "cost of enabling users to get locked out of their own data without recovery."
Security researchers Mysk highlighted some of these risks in a post on Twitter, noting that "if there's ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised." They added that Google could potentially use the information linked to your accounts to serve personalized ads and also advised users not to use the syncing feature until it supports E2EE. Brand pushed back against the criticism, stating that while Google encrypts "data in transit, and at rest, across our products, including in Google Authenticator," applying E2EE comes at the "cost of enabling users to get locked out of their own data without recovery."
Lock the door, leave the keys in the keyhole (Score:3, Funny)
What could possibly go wrong?
Will use it for ads, there fixed it for you (Score:2, Interesting)
wait, what? (Score:3, Interesting)
So this means the CURRENT version IS NOT end-to-end encrypted? This is an authenticator. Encryption is part of its mandate!
I realize they're short-term single-use codes, but c'mon.... seriously? not encrypted?
Re:wait, what? (Score:5, Insightful)
Nah, mate - your private keys aren't short term use.
And they turned on Trust Google syncing in a silent update BY DEFAULT in an automatic update for an offline authenticator.
Smells like barbecued Warrant Canary to me.
I wonder whose keys the spooks so desparately needed that killing GA as a product was worth it.
Re: (Score:2)
Silent update? What are you talking about? Is this something that happens when your phone is tied to a Google account? (My Android phone is not and my Google Authenticator on it is not syncing anything either ...)
My take is this is just extreme incompetence, nothing else. I do agree that this may end up killing Google Authenticator though. Better move to an alternative by somebody that has something to lose like Authy. (Can sync, but does not by default.)
Re: (Score:2)
When the app updated for me it didn't default to syncing. It required me to explicitly enable it and sign in first.
Might be different on iOS, but on Android this is purely opt-in as far as I can see.
Re: wait, what? (Score:5, Informative)
There is a secret key stored on your device that is used to generate the time-based code, it would have been conveyed via a QR code you scanned when setting up 2FA.
Google recently introduced a feature to sync those secret keys via Google cloud. It's encrypted (between your device and the Google server) but security researchers want it end-to-end encrypted (so that Google themselves can't read them, only the user can).
How they plan to do this is the question, since E2EE requires the user to manage their own private key. Which is kind of a problem when the thing being synced is itself a set of keys, and the sync feature is specifically intended for users who find key management too complicated.
Re: (Score:2)
Google already does this for Chrome sync data. If you set a password then all the data is encrypted client side before being sent to Google's cloud for storage. It's no problem at all to encrypt other encryption keys.
TOTP itself isn't great because every server that uses it has to keep a copy of the secret key, meaning that if it gets hacked the hacker will very likely get that key as well as your (hopefully hashed) password. WebAuthn/FIDO2 is much better, but not widely supported. Hopefully that will chang
Re: (Score:2)
How they plan to do this is the question, since E2EE requires the user to manage their own private key. Which is kind of a problem when the thing being synced is itself a set of keys, and the sync feature is specifically intended for users who find key management too complicated.
Other password managers already accomplish it, but it admittedly comes with friction that pushes it beyond the realm of most everyday users.
For instance, in addition to the "one password" you use with 1Password, subscription accounts also have a randomly-generated private key that's created client-side when the account is first established. That private key is never transmitted to 1Password and must be manually entered into each new client device. 1Password does a good job at communicating the need to prese
Re: (Score:1)
Re: (Score:2)
Crappy product, stay away (Score:2)
And "we believe that our current product strikes the right balance for most users" means I will not ever install an instance of this thing ever again, because what Google is effectively saying is "we do not care one bit about our user's security".
The real problem (Score:2)
Users don't want to manage their authentication data so Google will put a hole in the software (network access) and in the cloud storage (secrets as plain-text) so they can always access their other accounts.
This is dumbing-down procedures so online providers don't have to explain responsible key/secret/password management. Yes, teaching users to manage their authentication data is difficult: When they lose an online service, (Ideally, online providers will delete the account and data, creating a 'new' a
Re: (Score:2)
Authy (Score:1)
A couple of years ago my iphone broke and it couldn't be repaired, so I bought a new one. At that time Google Authenticator didn't have backup systems in place, so I had to go through all my 2FA accounts to regain access. Some of my 2FA was in the Authy app, which saved the few entries I had in there, once I supplied the encryption password. So as I worked through the list, I just added them all to Authy, and haven't given Googles Authenticator any thought since.
Don't use cloud for your OPT/2FA tokens (Score:4, Interesting)
Don't use cloud for your One Time Password 2FA tokens.
Instead, use a third party 2FA apps, such as Free OTP+ [google.com].
And from that, export your tokens to your desktop or server in a directory that is not readable to group and others.
Then use these tokens from a Linux based OTP. There is a command line tool called oathtool [ubuntu.com] that works well.