Google finally added a great feature to Google Authenticator, support for account syncing, which will save you a lot of trouble along the way. You won’t have to worry as much about a lost or stolen smartphone, and upgrading your iPhone and Android handset will be even easier. But Google Authenticator account sync lacks a major security feature: End-to-end encryption (E2EE).
Since Google Authenticator holds your two-factor authentication (2FA) keys for various key services, data encryption sounds like a no-brainer. And the app does encrypt data while in transit, but it’s not end-to-end encryption. Google is fixing the issue down the line, however.
Soon after Google announced account syncing for Google Authenticator data, security researchers discovered that the feature doesn’t support end-to-end encryption.
That sounds like a big security issue that could prevent you from taking advantage of the account syncing convenience. If worry about the lack of full encryption, you might very well postpone syncing until Google rolls out end-to-end encryption support.
But Google Authenticator data should be secure. The data between your devices and Google’s server is encrypted in transit. The only problem is that a data breach involving a Google account would also jeopardize the security of 2FA codes.
Google product manager Christiaan Brand addressed the matter on Twitter. He revealed that support for end-to-end encryption is coming.
“We’re always focused on the safety and security of @Google users, and the newest updates to Google Authenticator was no exception. Our goal is to offer features that protect users, BUT are useful and convenient,” Brand said.
“We encrypt data in transit, and at rest, across our products, including in Google Authenticator. E2EE is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery.”
The exec also said that Google started rolling out optional end-to-end encryption in some products, and Google Authenticator will follow.
“Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use,” Brand added. “However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves.”
Using the app offline means not signing into your Google account from Authenticator until E2EE rolls out.
As for the actual end-to-end encryption’s arrival, you’ll have to prepare to create strong recovery keys and store them somewhere safe. But we’ll cross that bridge when we get there. Brand hasn’t offered an actual timeline for Google Authenticator getting end-to-end encryption.