Google Authenticator update allows syncing Google accounts, raising security concerns
The Google Authenticator service now allows users to opt-in for synchronization after an update, sparking debates on whether it should be synced with Google accounts.
Table of Contents
Google Authenticator now supports syncing Google accounts
According to the announcement, Google updated the Google Authenticator for iOS and Android on April 24. Users will notice that the app's logo and interface are different from before after the update.
Similar to Gmail, users can now log into Google Authenticator with different Google accounts after the update. Google will also back up one-time passwords to users' Google accounts.
With this update, users can retrieve all verification codes previously stored on Google Authenticator in case of "changing phones" or "accidentally losing phones" using one-time passwords.
Of course, users can also choose to use Google Authenticator in the "non-login state," i.e., the version before the update.
This is also the recommended usage method by many security experts.
Google Authenticator sync makes it more vulnerable to hacker attacks
There have been many discussions on the update on Reddit, with most people advising against syncing. Suggestions from netizens include:
- Switching to other 2FA authenticators
Using other 2FA authenticators to lock Google Authenticator, such as YubiKey.
Only syncing Google Authenticator to an old phone rather than a cloud account to prevent loss of the current phone.
Security researcher Mysk also emphasized not to enable the sync feature.
After studying the sync feature, it was found that there is no end-to-end encryption mechanism, which means:
Google can access all verification codes.
Google can have a better understanding of user data, such as if users are using Twitter, Amazon, and so on.
Google: Continuous optimization
In the announcement, Google stated that the sync feature was introduced based on feedback from many users. Losing phones or computers means that users will not be able to use all services that require verification codes through Authenticator.
Google also emphasized that they are actively promoting passwordless authentication. However, considering that verification codes are currently a critical part of cybersecurity, they will continue to optimize Google Authenticator.
Related
- Meta launches more affordable virtual reality device Quest 3S, with further advancements in AI capabilities
- Telegram founder arrested: TON back online after 7-hour block outage, briefly lost consensus
- Is BUILD still happening? What are the weaknesses and challenges in the industry behind the proliferation of cryptographic infrastructure?