Did you know that google Authenticator was not secure until now? It may be hard to accept, but it is true. Google is now planning to add end-to-end encryption to Google Authenticator. A few days ago, security researchers had criticized the company for not adding a high level of security to its premium tool.
In response to the criticism, the company is rolling out an account sync feature to Google Authenticator. On his Twitter account, Google product manager Christiaan Bran writes that the company plans to offer E2EE in the future. Mr. Brand writes,
“For now, we believe our current product strikes the right balance for most users and offers significant advantages over offline use. Yet, the option to use the application offline will remain a choice to those who prefer to manage their own backup strategy”.
Google Authenticator Will Get End-to-End Authentication…
It was shocking to learn that Google Authenticator does not have a reliable security feature. Earlier this week, the tool had started showing a two-factor authentication option to its users. With this option, users will be able to sync two-factor authentication codes with their Google accounts. This will make it easier for users to sign in to their Google accounts on new devices.
Gizchina News of the week
This is a welcome change, but it may bring some security concerns with it. With this change, hackers will be able to access all linked Google accounts of a user by breaking into one. One thing is for sure, hackers and even Google will not be able to see users' information if this feature gets E2EE support. Mysk, a security researcher, pointed out these risks on Twitter. They said:
“If there's ever a data breach or someone gains access to your Google account, all your 2FA secrets will be compromised.”
As per the researchers, Google will be able to access users' information to display personalized ads without E2EE. They advised users not to use this feature until Google adds E2EE support. In turn, Brand hit back at the critics and said,
“While Google encrypts data in transit and at rest in all of our products, including Google Authenticator, applying E2EE comes at the cost of locking users out of their own data without recovery.
At this time, we are not sure when Google will add the E2EE feature to Google Authenticator. Yet, users will have the option to enable this feature without E2EE, or they can continue using this feature offline.