Security Advisory: Protect Your Digital Presence by Google Authenticator Sign-ins Until End-to-End Encryption (E2EE)
In a recent update, Google announced the long-awaited feature of being able to back up your MFA to the cloud for the Google Authenticator App.
Google Authenticator is a widely used app that provides an extra layer of security for your online accounts. It generates unique OTPs, which are time-based or event-based codes that act as temporary passwords for logging into various websites or applications, which work as a Multi-Factor Authentication (MFA).
However, security researchers at Mysk discovered that the data was not being end-to-end encrypted while being uploaded to Google’s servers.
End-to-end encryption ensures that your data is encrypted on your device using a password only known to you before it is transmitted and stored elsewhere. With this encryption, even if someone gains access to the server storing the data, they won't be able to decipher it without the decryption key.
In essence, without E2EE for Google Authenticator, unauthorized users can potentially access your data. If anyone obtains access to your account, whether through a data breach or a dishonest individual, they are able to use your account to impersonate you and gain access to your other accounts. This can lead to data breaches, identity theft, financial loss, and compromise of sensitive information.
Thus, we urge you to use the app "offline", meaning not signing into your account from the Google Authenticator app until E2EE rolls out.
Stay safe and protect your digital presence!