Google has finally added a cloud backup option for OTPs stored in its Authenticator mobile app.
The functionality can give customers more ease and confidence, but it currently lacks key security protection because backups aren’t secured.
Security researchers are requesting that Google Authenticator users refrain from turning on the new feature, even though cloud backups of OTP codes were one of the main complaints they had over the years. At least for the time being, as the choice still does not have the additional layer of security that end-to-end encryption can offer.
Google doesn’t encrypt the OTP codes when users sync “2FA secrets” to their Google Account so they may access them across devices. Data transferred to Google servers is not end-to-end encrypted, according to research done by Mysk.
This was discovered after studying the network traffic generated by the sync procedure. According to the researchers, this indicates that Google may be able to read users’ secret codes while they are kept on their servers.
End-to-end encryption is a security protection that shields the data being transmitted from potential eavesdroppers or malicious modifications, making sure that the digital message (or file) can be accessed in its original form by the sender and the receiver alone.