Earlier this week, Google announced their authenticator was finally getting a much-wanted feature: cloud backups. Yesterday, however, a duo of security researchers called Mysk warned users not to enable it since the backups are not end-to-end encrypted.
Mysk explained “there is no option to add a passphrase” to secure the backup data so it is “accessible only by the user.” As the duo pointed out, this means that if a user enables cloud backup, Google can see the secret keys that generate their 2FA codes. Worse, they add, “if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.”
The backups often also contain the usernames and site names for the accounts a user has protected with 2FA, e.g. @safenotscammed on Twitter. Without end-to-end encryption, Google “could potentially use this information for personalized ads,” Mysk warned.
Google’s Christiaan Brand responded to these concerns. He acknowledged the benefits of end-to-end encryption but pointed out it also has a cost: users who forget their passphrase would be “locked out of their own data without recovery.”
However, Brand says an end-to-end encrypted option will be available “down the line.” In the meantime, “the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves.”