Google has updated Google Authenticator, its mobile authenticator app for delivering time-based one-time authentication codes, and now allows users to sync (effectively: back up) their codes to their Google account.
A long-awaited option
Before this update, losing one’s mobile device with Google Authenticator on it created many problems for end users and enterprise IT departments.
“Since one time codes in Authenticator were only stored on a single device, a loss of that device meant that users lost their ability to sign in to any service on which they’d set up 2FA using Authenticator,” said Christiaan Brand, Group Product Manager at Google.
“With this update we’re rolling out a solution to this problem, making one time codes more durable by storing them safely in users’ Google Account. This change means users are better protected from lockout and that services can rely on users retaining access, increasing both convenience and security,” Brand added.
How to back up your Google Authenticator codes
Users of the app must first update it to v6.0 on Android and 4.0 on iOS. They will then be prompted to sign in to their Google account so their Authenticator can automatically back up the codes to it.
They can later be seamlessly synced to a new device once the Google Authenticator app is installed on it and connected to the users’ Google account.
A similar or same feature is already available in other popular authentication apps.
For example, Authy encrypts and stores users’ 2FA codes in the cloud, and Raivo OTP allows users to export their one-time passwords to encrypted ZIP archives and to sync them (encrypted) with their Apple iCloud. Microsoft Authenticator also has the encrypted backup/sync option.
Security and privacy-related observations
The new cloud sync feature is optional: you can still use Google Authenticator without logging in to your Google account, and your 2FA codes will remain on your device exclusively.
If you do though, and a hacker gains access to your Google account, they may connect a device on their own to it and sync those backed up codes to it. They would then also know the usernames for those accounts, as they are used to distinguish the 2FA codes for each service. They would then just need to phish or guess the passwords – or buy them online if they’ve been compromised in a previous breach and not changed.
Security researchers with Mysk also pointed out that the backed up codes are not end-to-end (E2E) encrypted, meaning that Google can access them. In theory, malicious insiders may access a target’s account and sync the codes to another device. Not all attackers are external, after all.
They also noted that when you ask Google to export data associated with your account, the 2FA secrets are not included in the download.
It would be nice to know how Google handles the backed up codes and if there’s an “un-sync” option as well (we haven’t found it). As things stand, from a security and privacy perspective, this is a handy option that seems to have been poorly implemented.
We’ve reached out to Google to get those questions answered, but haven’t heard back yet. With RSA Conference underway, that’s not wholly unexpected.