“We encrypt data in transit, and at rest, across our products, including in Google Authenticator. Google responded to this omission through its Product Manager, Christiaan Brand, who stated on Twitter that the company plans to add end-to-end encryption in a future version of the Authenticator app. “This means that Google can see the secrets, likely even while they’re stored on their servers, and there is no option to add a passphrase to protect the secrets, to make them accessible only by the user.” Cleartext communication exchange “We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted,” explained Mysk. To determine if these fears were substantiated, security researcher duo ‘Mysk’ posted their findings on Twitter urging users to avoid turning on the syncing option, as it does not protect their 2FA codes from man-in-the-middle attacks. While this new option brought cheers and joy to long-time users of the app, who could now feel more comfortable storing their account access keys on the cloud, some felt this would be too risky if Google didn’t take the appropriate security precautions. On April 24, 2023, Google announced that a new release of the Authenticator app (v6.0 on Android and v4.0 on iOS), a specialized tool that helps users generate one-time codes for their online accounts, will support cloud syncing for easier account recovery in the case of device loss, as well as synchronization across various of the user’s devices. When it comes to your security and privacy, only use trusted apps and services.Īnd, as always, consider deploying a dedicated security solution on your personal devices.Security researchers warn users of Google Authenticator not to turn on the cloud sync feature that Google made available to Android and iOS users recently, as the security of their 2FA data on the cloud isn’t guaranteed. ![]() However, bad actors can go to great lengths to intercept your codes using SIM swapping / SIM jacking, so it’s advisable that you use a trusted authenticator app. SMS-based 2FA is better than no 2FA at all. Threat actors can easily compromise online accounts that lack a second layer of authentication, so two-factor authentication has become a must in today’s world. Other trusted options include Duo Mobile and Okta Verify. As an iOS user, you can safely stay in your ecosystem and avoid downloading a separate authenticator app until you absolutely need one. They’re both very straightforward and free to use indefinitely.Īpple offers its own official 2FA solution as part of iCloud Keychain. Google and Microsoft offer some of the best authenticator apps on the market. So it’s important to take your time and find the ones worth using. In the case of authenticator apps, many legitimate ones actually turn up lower in the query list. Users end up downloading whatever turns up first, either because they trust the App Store to serve the best app, or simply out of convenience.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |