The newest update for Google’s 2-Factor-Authentication app finally allows for cross-device synchronization.
“Yayyy, more convenience! \( ゚O゚)/”
No more cumbersome manual entering of backup codes every time you change to a new device.
The cloud comes to the rescue!
But… is this really a good deal for you? Especially when you secure very valuable data and access credentials via Google’s 2FA feature?
The short answer is:
NO – ABSOLUTELY NOT!
DO NOT UPDATE / TURN ON THE NEW GOOGLE 2FA SYNC FEATURE!
…unless convenience is more important to you than strong security.
Interested in more details about how the new Google 2FA version increases your attack surface?
Then read on.
As security researchers from Mysk have shown, utilizing the offered cloud backup to synchronize the 2FA codes across devices leads to your secrets being transmitted in not end-to-end encrypted fashion between your device and Google’s servers.
This means if anyone is able to intercept this traffic, they will gain access to your 2FA codes!
…and with that have a much easier time to potentially compromise any accounts you thought you have protected via the utilization of the Google 2FA app.
Summarized, the recommended course of action by the security researchers of Mysk remains:
The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy. Fortunately, Google Authenticator still offers the option to use the app without signing in or syncing secrets. We recommend using the app without the new syncing feature for now.
