The 2fa backup codes that Google Authenticator has been able to generate since this week are not end-to-end encrypted. Google confirms this after privacy researchers discovered Mysk. Google says it’s working on end-to-end encryption.
Data is stored encrypted during transmission and at rest, says Christian Brand, Group Product Manager at Google. However, this encryption is not end-to-end. Google says it chose this because end-to-end encryption risks excluding the user from their data. Brand says the current implementation will therefore be a “right balance” between security and ease of use.
However, the company plans to release this end-to-end encryption, though the brand does not say when that will be. With the addition of end-to-end encryption, Google wants to make sure that users have “all the options at their disposal.” Brand also notes that users can disable cloud backup tokens and therefore use the app offline.
Brand Tweets In response to the discoveries made by two privacy researchers who united in the name of Misk. Based on network traffic, these researchers discovered that the secrets To generate a 2fa token, it is not sent with end-to-end encryption. The researchers say that Google or anyone with access to Google data can see the secrets. The company released a cloud backup feature earlier this week.
(3/4) To ensure that we offer a full range of choices for users, we’ve started rolling out optional E2E encryption in some of our products, and we have plans to offer E2EE for Google Authenticator in the future.
– Christian Brand (@employee) April 26, 2023