back to article Google adds account sync for Authenticator, without E2EE

You may have heard news this week that Google is finally updating its authenticator app to add Google account synchronization. Before you rush to ensure your two-factor secrets are safe in the event you lose your device, take heed: The sync process isn't end-to-end encrypted. The lack of synchronization encryption was pointed …

  1. mark l 2 Silver badge

    Can you export your 2fa codes from Google Authenticator in a format that is compatible with other autheticator apps with this new update? I don't see any sync option in the version i have on my phone and the play store isn't saying there is any app update to install so i can't see for myself.

    Previously to export your 2fa accounts it would generate a QR code but those were only able to be imported back into Google Auth keeping you in the Google ecosystem and you couldn't even screenshot them easily to use 3rd party tools to get the info from those Google generated QR codes to a format that you could then use to import them to another authenticator app.

    I now use the open source app on my PC as my main authenticator app when setting up 2fa as that give you multiple formats for backing up your 2fa secrets as well as generates QR codes that can be imported into most authenticator apps.

  2. Anonymous Coward
    Anonymous Coward

    Focused, very focused

    "we're always focused on the safety and security of Google users and the newest update to Google Authenticator was no exception."

    => We're always focused on ensuring that we can slurp a copy of your security details, as well as any of the other data that you are foolish enough to pass through any of our services and devices. This update was no exception to this very particular focus.

    Brand said Google encrypts data in transit and at rest across its products.

    => Would it be far too cynical to read that as "the data is encrypted while in transit to Google, but is then decrypted on arrival (and a copy stored), before being transferred to its storage location in an encrypted form (but we have the decryption keys)"?

  3. Shak

    And around and around we go

    This fashion of converting our "what we haves" to "what we knows" has to stop. At that point you may as well just use a long password (which is all a seed is really).

    But the fact that most 2fa apps now have cloud backup means I'm the one missing the point.

  4. Claptrap314 Silver badge

    I can't remember

    the last time G required my "2FA" device for my GMail account. G's culture was built on the open flow of information, and they clearly just don't get stopping the flow.

    The entire idea of using an app as your second form of auth strikes me as bizarre in the first place. Just don't.

    1. DS999 Silver badge

      Re: I can't remember

      The entire idea of using an app as your second form of auth strikes me as bizarre in the first place

      Why? The "what you have" is your phone on which that app runs and where its seed is stored. The "what you know" is the password you have to provide to login in addition to the 2FA.

      If someone steals your phone then they have the "what you have" part but in order to access your 2FA they need to be able to break into your phone. Obviously biometrics like Face ID are not foolproof but it is against a casual thief, and your thief needs to act quickly before you (who presumably knows your phone has been stolen) can remotely wipe your phone or its biometric login times out and the bar is now raised much higher.

      All this assumes some third party doesn't do something unforgivably stupid, like cloud enable your 2FA so you can get the second factor without requiring the "what you have", of course!

      1. Claptrap314 Silver badge

        Re: I can't remember

        Are people's phones being stolen more or p0wned more?

        The thief I'm worried about never touches the phone in the first place..

  5. Friendly Neighbourhood Coder Dan

    Salesforce Community lets businesses spin up quick customer-facing websites

    "Users of Salesforce Community – a cloud-based tool that lets businesses spin up quick customer-facing websites –"

    In my professional opinion: quick my fucking arse.

    Trying to do anything, even the most basic things, salesforce is a nightmare.

    I guess it was some copy and paste from some marketing material?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like