Google Authenticator Backups May Be Risky

An Android phone's app screen, displaying the icons for Google Authenticator, Microsoft Authenticator, Authy, Aegis and Yubico Authenticator.
There are many authenticator apps available nowadays, though Google Authenticator is probably the most well-known. Image credit: Rebecca Lea Morris.

Earlier this week, Google announced their authenticator was finally getting a much-wanted feature: cloud backups. Yesterday, however, a duo of security researchers called Mysk warned users not to enable it since the backups are not end-to-end encrypted.

Mysk explained “there is no option to add a passphrase” to secure the backup data so it is “accessible only by the user.” As the duo pointed out, this means that if a user enables cloud backup, Google can see the secret keys that generate their 2FA codes. Worse, they add, “if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.”

An AI generated image of a person wearing glasses and a mask looking at a computer screen.
Image generated using Midjourney. Prompt: A hacker snooping on my data, digital art style

The backups often also contain the usernames and site names for the accounts a user has protected with 2FA, e.g. @safenotscammed on Twitter. Without end-to-end encryption, Google “could potentially use this information for personalized ads,” Mysk warned.

Google’s Christiaan Brand responded to these concerns. He acknowledged the benefits of end-to-end encryption but pointed out it also has a cost: users who forget their passphrase would be “locked out of their own data without recovery.”

However, Brand says an end-to-end encrypted option will be available “down the line.” In the meantime, “the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves.”

Leave a Comment

Your email address will not be published. Required fields are marked *