Google Authenticator Synchronizes 2FA Codes With the Cloud
Google shares news about expanding the capabilities of Authenticator, which protects the account of the same name from hacking: now two-factor authentication is synchronized with the cloud.
Google’s two-factor authentication has many advantages, but one big drawback has finally been fixed. Previously, when changing or losing a smartphone, the user had to re-configure Google Authenticator. Now it is synchronized in the cloud, which allows you to transfer data to a new device.
Read more in the article.
Is Google private and secure? Learn more here.
What is Google Authenticator?
Google Authenticator is an application that helps protect your account from unauthorized access, working on the principle of two-factor authentication (2FA). The latter implies logging into the account not only with a password, but also by entering a special code that is generated by the application on the phone. This significantly increases the level of security, since the attacker loses the ability to log in to the account, even if he knows the password.
Two-factor authentication has many advantages:
- Increased protection against phishing attacks when attackers try to extort a password or other personal data using fake messages or websites.
- Reducing the risk of account hijacking when attackers use stolen or black-market passwords to access your data or resources.
- Compliance with industry norms and standards that require the use of two-factor authentication to protect confidential data.
What’s wrong with 2FA? Read more here.
However, the Google Authenticator App had a drawback: if a person lost or changed their phone, then the authentication codes were also lost. But now Google has solved this problem by adding the ability to synchronize Google Authenticator codes with the cloud.
This means that the user can transfer the codes to a new phone or restore them in case of loss of the old one. To do this, enable the “Cloud Sync” function in the application settings and confirm your phone number. The feature is currently available only for Android users, but it will soon appear for iOS users as well.
As you can understand, this update will allow users to log in with their Google account and sync 2FA secrets on their iOS and Android devices.
However, the transmitted traffic is not protected by end-to-end encryption. So Google can probably see the secrets even while they are stored on their servers. There is no way to add a passphrase to protect secrets to make them available only to the user.
Why is it bad?
Each 2FA QR code contains a secret, or initial value, which is used to generate one-time codes. If someone else knows the secret, they can generate the same one-time codes and bypass 2FA protection.
In addition to the fact that the data may be compromised, such QR codes also contain other confidential information: the account name and the name of the service (for example, Twitter, Amazon, etc.).
Since Google can see all this data, it knows which online services you use, and can potentially use this information for personalized advertising.
However, you can still use the app without logging in and syncing.