Google Authenticator has recently introduced a Update synchronization of single-use codes on their Google accounts, in order to prevent users from being blocked from their accounts in the event of a change of smartphone.
However, software company Mysk is warning users not to rely on the app to manage secure passcodes anymore. But why? Let's see it in the next lines.
Google Authenticator no longer has encryption
Mysk has discovered that the network traffic generated by the Authenticator app it is not end-to-end encrypted, increasing the risk that single-use codes could be compromised by an attacker. While the update appears to address a practical need, the risks associated with using the Authenticator may outweigh the benefits.
The company pointed out that i 2FA QR codes may contain personal information such as your account and service name. Although there is no evidence that Google uses this information to enrich personalized ads, i privacy risks of users would be high. In the event of a data breach, your personal information may be exposed to third parties.
Google responded to its users' concerns via a tweet from product manager Christiaan Brand. Brand explained that despite the lack of encryption of the codes in Authenticator, there are plans to offer the security protection in the future.
Here are his words: "Right now, we believe our current product strikes the right balance for most users and offers significant benefits over offline use. Also, the inclusion of stronger encryption like E2E may resurface the possibility of users being locked out of their accounts".
Brand also pointed out that syncing your Google Authenticator account is completely optional. Users then have complete control over how their information is backed up and can choose to use the app in offline mode if they feel more secure.
