Google's Authenticator App NOT Encrypted End-to-End, Might Expose Users to Security Risks

Google's two-factor authentication isn't as safe as what we think.

The Google Authenticator isn't end-to-end encrypted, new tests show. This means that this security tool is not spared from security risks, and it might expose your personal information to outside attacks.

Google Authenticator App Is Not End-to-End Encrypted

Google's Authenticator App Isn't End-to-End Encrypted, Might Expose Users to Security Risks
Early tests show that Google's Authenticator app can expose users to security risks because it's not end-to-end encrypted. Firmbee.com from Unsplash

According to a report by Gizmodo, software firm Mysk conducted tests where security researchers and developers experimented if the two-factor authenticator was safe enough for the users.

"We tested the feature as soon as Google released it. We realized that the app didn't prompt or offer an option to use a passphrase to protect the secrets," the company posted on Twitter.

The experts also added that the traffic in the app is not end-to-end encrypted. Mysk shared the screenshots, which show that Google most likely knows your confidential information if they are stored on the servers.

To solve the issue, you can unlink your Google account to the Google Authenticator if you have doubts about it not being end-to-end encrypted.

Mysk also said that although the 2FA method is deemed to be useful when using different devices, the user is exposing his/her privacy when using it. Because of this, the company is not recommending that users sync their accounts to the app anymore.

The Danger Behind Google Authenticator

Mashable reported this week that Google Authenticator codes can now be stored in the cloud, which gives users more options to store them in a different place as long as the Google Account is linked.

The search engine giant said that this update solved the long-time flaw on the one-time codes that have been bugging the users.

Of course, the feature is optional, and you have all the means to store it locally if you wish.

While syncing the 2FA secrets is very handy, the Mysk researchers found that they would leak once the Google Servers are compromised.

What's worse, the threat actor could know the other information connected to your account, including the account name and its associated app.

It's very risky, especially for a content creator or an activist who usually has many Twitter accounts with no exact identity.

As per Tommy Mysk, you shouldn't be worried about the hackers alone since Google staff can gain access to your data without permission.

Tommy adds that it's not a good thing to miss the encryption on an authenticator tool. This also means that Google will have more control over the targeted ads it wants to show to a particular audience.

Mysk expects that Google will treat 2FA secrets the same way as passwords. In short, everything associated with sensitive data should be treated with extreme confidentiality and caution.

If you want to know more about Google Authenticator, you can click this link to see its app requirements, how to set it up, and more.

Joseph Henry
Tech Times
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics