Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Encryption Google Security

Google Plans To Add End-To-End Encryption To Authenticator (theverge.com) 24

After security researchers criticized Google for not including end-to-end encryption with Authenticator's account-syncing update, the company announced "plans to offer E2EE" in the future. "Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use," writes Google product manager Christiaan Brand on Twitter. "However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves." The Verge reports: Earlier this week, Google Authenticator finally started giving users the option to sync two-factor authentication codes with their Google accounts, making it much easier to sign into accounts on new devices. While this is a welcome change, it also poses some security concerns, as hackers who break into someone's Google account could potentially gain access to a trove of other accounts as a result. If the feature supported E2EE, hackers and other third parties, including Google, wouldn't be able to see this information.

Security researchers Mysk highlighted some of these risks in a post on Twitter, noting that "if there's ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised." They added that Google could potentially use the information linked to your accounts to serve personalized ads and also advised users not to use the syncing feature until it supports E2EE. Brand pushed back against the criticism, stating that while Google encrypts "data in transit, and at rest, across our products, including in Google Authenticator," applying E2EE comes at the "cost of enabling users to get locked out of their own data without recovery."

This discussion has been archived. No new comments can be posted.

Google Plans To Add End-To-End Encryption To Authenticator

Comments Filter:
  • by Tony Isaac ( 1301187 ) on Thursday April 27, 2023 @05:47PM (#63481978) Homepage

    What could possibly go wrong?

  • Google will be using this for ads. They don't always know what data is useful, however MFA does allow them to determine some of the services you use based on the name. The cost for them is loosing access to the data. The user is Google, you're just the product that provides the useful data. I'm not seeing a massive adoption of usb based key devices, however this would be a great justification to switch. Zero trust assumes the breach has already happened and you don't want to be the one finding out about it
  • wait, what? (Score:3, Interesting)

    by v1 ( 525388 ) on Thursday April 27, 2023 @05:52PM (#63481996) Homepage Journal

    So this means the CURRENT version IS NOT end-to-end encrypted? This is an authenticator. Encryption is part of its mandate!

    I realize they're short-term single-use codes, but c'mon.... seriously? not encrypted?

    • Re:wait, what? (Score:5, Insightful)

      by bill_mcgonigle ( 4333 ) * on Thursday April 27, 2023 @06:36PM (#63482084) Homepage Journal

      Nah, mate - your private keys aren't short term use.

      And they turned on Trust Google syncing in a silent update BY DEFAULT in an automatic update for an offline authenticator.

      Smells like barbecued Warrant Canary to me.

      I wonder whose keys the spooks so desparately needed that killing GA as a product was worth it.

      • by gweihir ( 88907 )

        Silent update? What are you talking about? Is this something that happens when your phone is tied to a Google account? (My Android phone is not and my Google Authenticator on it is not syncing anything either ...)

        My take is this is just extreme incompetence, nothing else. I do agree that this may end up killing Google Authenticator though. Better move to an alternative by somebody that has something to lose like Authy. (Can sync, but does not by default.)

      • by AmiMoJo ( 196126 )

        When the app updated for me it didn't default to syncing. It required me to explicitly enable it and sign in first.

        Might be different on iOS, but on Android this is purely opt-in as far as I can see.

    • Re: wait, what? (Score:5, Informative)

      by nsbfikwjuunkifjqhm ( 8274554 ) on Thursday April 27, 2023 @07:56PM (#63482182)
      I think you may be fundamentally misunderstanding what this is about. The "short term use" codes aren't encrypted at all because...they aren't sent anywhere. It displays on your screen and you type it in manually on the website login (which presumably is secured with TLS, but that has nothing to do with Google unless it happens to be a Google service you're logging in to).

      There is a secret key stored on your device that is used to generate the time-based code, it would have been conveyed via a QR code you scanned when setting up 2FA.

      Google recently introduced a feature to sync those secret keys via Google cloud. It's encrypted (between your device and the Google server) but security researchers want it end-to-end encrypted (so that Google themselves can't read them, only the user can).

      How they plan to do this is the question, since E2EE requires the user to manage their own private key. Which is kind of a problem when the thing being synced is itself a set of keys, and the sync feature is specifically intended for users who find key management too complicated.
      • by AmiMoJo ( 196126 )

        Google already does this for Chrome sync data. If you set a password then all the data is encrypted client side before being sent to Google's cloud for storage. It's no problem at all to encrypt other encryption keys.

        TOTP itself isn't great because every server that uses it has to keep a copy of the secret key, meaning that if it gets hacked the hacker will very likely get that key as well as your (hopefully hashed) password. WebAuthn/FIDO2 is much better, but not widely supported. Hopefully that will chang

      • How they plan to do this is the question, since E2EE requires the user to manage their own private key. Which is kind of a problem when the thing being synced is itself a set of keys, and the sync feature is specifically intended for users who find key management too complicated.

        Other password managers already accomplish it, but it admittedly comes with friction that pushes it beyond the realm of most everyday users.

        For instance, in addition to the "one password" you use with 1Password, subscription accounts also have a randomly-generated private key that's created client-side when the account is first established. That private key is never transmitted to 1Password and must be manually entered into each new client device. 1Password does a good job at communicating the need to prese

  • And "we believe that our current product strikes the right balance for most users" means I will not ever install an instance of this thing ever again, because what Google is effectively saying is "we do not care one bit about our user's security".

  • ... enabling users to get locked out ...

    Users don't want to manage their authentication data so Google will put a hole in the software (network access) and in the cloud storage (secrets as plain-text) so they can always access their other accounts.

    This is dumbing-down procedures so online providers don't have to explain responsible key/secret/password management. Yes, teaching users to manage their authentication data is difficult: When they lose an online service, (Ideally, online providers will delete the account and data, creating a 'new' a

  • by tanek ( 876501 )

    A couple of years ago my iphone broke and it couldn't be repaired, so I bought a new one. At that time Google Authenticator didn't have backup systems in place, so I had to go through all my 2FA accounts to regain access. Some of my 2FA was in the Authy app, which saved the few entries I had in there, once I supplied the encryption password. So as I worked through the list, I just added them all to Authy, and haven't given Googles Authenticator any thought since.

  • by kbahey ( 102895 ) on Friday April 28, 2023 @08:52AM (#63482978) Homepage

    Don't use cloud for your One Time Password 2FA tokens.

    Instead, use a third party 2FA apps, such as Free OTP+ [google.com].

    And from that, export your tokens to your desktop or server in a directory that is not readable to group and others.

    Then use these tokens from a Linux based OTP. There is a command line tool called oathtool [ubuntu.com] that works well.

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...