Why You Should Think Twice About Using Google Authenticator's Cloud Sync

Zinger Key Points
  • Google Authenticator's Cloud Sync can compromise security by backing up private keys without an additional passphrase.
  • Other apps have a more secure 2FA option with a recommended cloud backup mode that encrypts private keys on its servers.

Alphabet Inc's GOOG GOOGL Google Authenticator is a popular two-factor authentication (2FA) app that generates time-based codes used to log into various services. However, according to Pablo Sabbatella Founder of Ethereum Argentina and DefyEducation, the app's cloud synchronization feature is not secure and poses a significant risk to user security.

Sabbatella explained on a Twitter thread that while Google Authenticator is not a Single Point of Failure (SPOF), it is an app that users must handle with great care, as it is used to access almost all of their services. Each account that users load onto Google Authenticator, Authy, or Microsoft Authenticator saves a private key belonging to that account in the app. This private key is used to generate codes every 30 seconds.

See Also: Twitter's 2FA Shake-Up: Non-Blue Subscribers Out Of Luck, Google Authenticator To The Rescue

When Google Authenticator backs up accounts to the cloud, it backs up these private keys, also known as secret keys, without an additional passphrase as Authy does. This means that if someone gains access to a user's Google account, they not only have access to their passwords stored in Google, but they also have access to the second factor, which would allow them to log in to all the user's accounts.

Pablo concludes that users must know how to manage separate environments and not put all their eggs in one basket. "Just as you should not use the 2FA code generator of the password managers, you should not back up unencrypted codes (as in this case), especially not in your gmail account," he says.

The recommendation is to use other 2FA like Authy instead and choose the cloud backup mode with a complex passphrase that encrypts the private keys that generate these codes. If someone hacks the 2FA App or steals access to a user's account, they would need this passphrase to use it.

While Google Authenticator is a popular 2FA app, users must be aware of the risks of using its cloud synchronization feature. Sabbatella's recommendation is to use other apps like Authy instead, which offers a more secure cloud backup mode.

Now Read: Is Twitter's Reign Under Threat from Dorsey's Upstart Rival? Parag Agrawal's Bold Move To Bluesky

Market News and Data brought to you by Benzinga APIs
Comments
Loading...
Posted In:
Benzinga simplifies the market for smarter investing

Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.

Join Now: Free!