• IT Matters
  • Posts
  • TL;DR: Don't use Google Authenticator's Online Sync Function

TL;DR: Don't use Google Authenticator's Online Sync Function

April 27, 2023

On April 24th, Google rolled out a feature for its Google Authenticator app that allows a user to sync their authentication codes between multiple devices in their cloud. The premise is that if a user loses their phone they won’t lose all of their Two-factor Authentication (2FA) codes. I’m a huge fan and supporter of Google Authenticator but the problem with this new feature is that Google isn’t properly securing the data at rest.

One day later, Naked Security had already conducted research on the capability and pointed out that Google is exposing account and seed data while the data is unencrypted inside their network, making the data susceptible to discovery.

Android Authority confirmed this on the 26th in an article that included a quote by Google’s own Product Manager, who states:

We encrypt data in transit, and at rest, across our products, including in Google Authenticator. E2EE [end-to-end encryption] is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery. To make sure we’re offering users a full set of options, we’ve started rolling out optional E2E encryption in some of our products, and we have plans to offer E2EE for Google Authenticator down the line. Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use. However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves.

The article goes on to discuss research by software company Msyk:

We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

It seems pretty clear at this time that there are some real privacy / security issues at play here, Google apparently knows about them (and can apparently see the data associated with each code and related site where they can serve up ads) but “…Right now…” doesn’t appear to be willing to address them. Even with this in mind I’m not suggesting that users stop using Google Authenticator and this certainly is not the end of the world.

Rather, I would submit that users take a step back and have a more proactive and systematic approach to security. Most users will at some point have their phone lost or stolen, dropped in the toilet or smashed in an airline seat catching the plane on fire. Knowing the odds of this happening are better than average why not keep your 2FA codes on two separate devices that you physically control? This is something that Google Authenticator already allows, the problem is that most people don’t want to invest the time before a significant event to prepare. Trust me though when I say it will take more time trying to reconstitute all of your codes and clean up your authenticated logins after an incident than simply doing one of these steps beforehand.

Medium has a clearly defined article on the first method, so I’m not going to try and repeat here everything they point out, but this method generally involves recreating all of your codes from each site where you need them on two separate devices at the same time. Not a bad way to go if you are starting out from scratch with Google Authenticator.

However, what if you are already an Authenticator user and you have 20+ codes already saved on your primary device? Since May 2020, if you don’t want to go through that trouble the other method is to just proactively export your codes from your current phone to a backup device. The device types don’t matter so you can have two Android phones, two iPhones, or one of each. Going this route keeps the codes active on the first device and merely copies (not transfers) them to the second device. All it takes is a simple 12-step process (seriously, it’s not that bad):

  1. Open Google Authenticator app on your old phone.

  2. Select three dots at the top right corner of the app.

  3. Select Transfer Accounts.

  4. Select Export Accounts.

  5. Select the accounts you would like to transfer and press Next. (you can select individual accounts for follow-on transfers after the first)

  6. Open Google Authenticator app on your new phone.

  7. Select three dots at the top right corner of your phone.

  8. Select Transfer Accounts.

  9. Select Import Accounts.

  10. Press Scan QR Code button.

  11. Scan the QR Code displayed on an old phone using your new phone.

  12. Press Done on an old phone.

That’s all there is to it. You can also download and save backup codes and print them to hardcopy for secure storage, but please Do Not take a picture of your Authenticator QR code and save it online. That’s just begging for trouble…