On the last week of April, Google announced an update to Google Authenticator, which added the ability to backup codes on Google accounts. In this article OCD Tech editorial team collects several opinions about some risks it may bring.

Google introduced support for syncing two-factor authentication codes via its Google Authenticator app this week. The new feature improved the usability for multi-device users of the app. Google customers could sync codes across iOS and Android devices using the feature.

While many users may have enabled the feature already, it is advised to keep it turned off for now. Here is why: the data, which contains highly sensitive information, is not end-to-end encrypted. Analysis of network traffic reveals that the data is not encrypted properly, and this means that Google and likely also anyone who gains access to the Google Account may gain access to the secrets.

The secret, in this case, is the seed that is used to generate the one-time codes. It is essential for two-factor authentication. In other words, anyone with access to the secret may create one-time codes for the linked service.  Often, information about the linked service and an account name may also be present in the data.

How to set up sync in google authenticator app×

Mysk discovered the issue and made it public. They recommend keeping the sync option disabled for the time being, at the expense of convenience, to keep the data secure.

They stated: "We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user."

Google might, at one time, introduce support for a passphrase that users may specify to protect the data when it is transferred to the company's cloud servers.

Another issue that may arise out of this is that Google might provide the information when requested to do so legally. With end-to-end encryption enabled, Google could not provide the requested data.

Source: https://www.ghacks.net/2023/04/26/why-you-shouldnt-turn-on-google-authenticators-cloud-sync-feature/
https://defcon.social/@mysk/110262313275622023