Google launched a highly requested feature in its Authenticator app a couple of days ago in the form of sync functionality. What this means is that Google Authenticator users can transfer "secrets" across multiple devices so even if you lose your primary device which had the app installed, you could just restore it on a secondary device and continue using two-factor authentication (2FA). However, a security firm has now revealed an arguably big flaw in the design of this syncing functionality, which may deter some users from continuing to leverage it.
The security researchers over at Mysk have reported that the syncing of Google Authenticator secrets across devices is not end-to-end (E2E) encrypted. For those unaware, a secret is used to generate 2FA codes that are leveraged by users to log in to various accounts. Since these secrets do not have E2E encryption in Google's implementation, an attacker who compromises your network, Google account, or related infrastructure, would be able to access these secrets easily and gain control over your 2FA codes.
Mysk further noted how even Google could misuse your secrets for personalized ads:
[...] 2FA QR codes typically contain other information such as account name and the name of the service (e.g. Twitter, Amazon, etc). Since Google can see all this data, it knows which online services you use, and could potentially use this information for personalized ads.
Surprisingly, Google data exports do not include the 2FA secrets that are stored in the user's Google Account. We downloaded all the data associated with the Google account we used, and we found no traces of the 2FA secrets.
The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy. Fortunately, Google Authenticator still offers the option to use the app without signing in or syncing secrets. We recommend using the app without the new syncing feature for now.
Google has admitted that E2E encryption is lacking in its current rollout of sync functionality in Authenticator. It says that this is due to its desire to add a highly requested functionality that adds convenience earlier and implement E2E encryption later, which is ironic since it's already been several years since customers have been requesting sync.
In a statement to CNET, Google noted that:
End-to-End Encryption (E2EE) is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery. To ensure that we're offering a full set of options for users, we have also begun rolling out optional E2EE in some of our products, and we plan to offer E2EE for Google Authenticator in the future.
As it stands, Mysk has advised Google Authenticator customers not to use the sync functionality until E2E encryption is added. However, Google has not given a timeline either so there's no knowing when it will arrive.
Source: Mysk (Twitter)