The 2fa backup codes that Google’s Authenticator app can generate since this week are not end-to-end encrypted. Google confirms this after discovery by privacy researchers Mysk. Google says it is working on end-to-end encryption.
Data is stored encrypted during transmission and at rest, says Christiaan Brand, Group Product Manager at Google. However, this encryption is not end-to-end. Google says it has chosen this because end-to-end encryption has the risk that the user will be excluded from his or her data. The current implementation would therefore be a “right balance” between security and ease of use, says Brand.
However, the company does plan to release this end-to-end encryption, although Brand does not say when. would be. With the addition of end-to-end encryption, Google would like to ensure that users have “all options available to them”. Brand also points out that users can disable cloud backup codes and use the app offline.
Brand’s tweets are a response to discoveries made by two privacy researchers who have banded together under the name Mysk. Based on the network traffic, these researchers found out that the secrets needed to create a 2FA code are not sent with end-to-end encryption. Google or someone with access to Google’s data could see the secrets, the researchers say. The company released the cloud backup feature earlier this week.