Google Authenticator's 2FA Upgrade Is Missing A Major Security Feature But Not For Long

Conventional wisdom holds that adding two-factor authentication (2FA) is the best way to secure your online accounts. With this feature enabled, a threat actor would need your login credentials, as well as a one-time code to access your data. Google Authenticator is a popular way to store two-factor codes, and a recent update added a long-awaited option to back up those codes. However, security researchers are now warning users to hold off using that feature until Google fixes a glaring security omission.

When you set up a 2FA account, the service in question probably warns you at least two or three times to take care of your code generator. The token is stored locally on your phone, so a broken or lost phone could lock you out of your accounts. It can be a real nightmare.

That's why backups are a desirable feature. Lost your phone? Just sync the 2FA tokens to a new device, and everything is back to normal. Google has finally made that an option in Authenticator, but it did so in a haphazard way. Security researchers Mysk pointed out that Google has not implemented end-to-end encryption for Authenticator. That means your 2FA codes are just sitting exposed on Google's servers. If someone were to gain access to your Google account, they could take those tokens and compromise all the 2FA codes for your other accounts. The codes also give Google even more data about the services you use and could theoretically feed into your advertising profile.

(1/4) We’re always focused on the safety and security of @Google users, and the newest updates to Google Authenticator was no exception. Our goal is to offer features that protect users, BUT are useful and convenient.

— Christiaan Brand (@christiaanbrand) April 26, 2023

Most security experts are advising everyone to avoid using the new backup feature for now. Google product manager Christiaan Brand has responded to the concerns to downplay the severity. He points out that data is encrypted across all Google products during transfer and at rest, but end-to-end encryption offers "extra protections" that Google didn't feel were necessary. Specifically, he cites the increased likelihood that someone could be locked out of their accounts by forgetting a passphrase.

Although Google apparently believes it "[struck] the right balance for most users," end-to-end encryption is now on the roadmap for Authenticator. Brand has not offered a timeline, but the feature is coming. In the meantime, concerned 2FA users can still run Authenticator in offline mode or switch to a different 2FA app. At least Google isn't taking away two-factor features like some companies are.