New Google Authenticator app supports Google Account to sync 2FA codes across devices [U: Lacks end-to-end encryption]

Google Authenticator app for iOS has been updated with Google Account to back up and sync one-time access codes across devices. 

Designed as an additional layer of security for users’ online accounts, the Google Authenticator app adds a second verification step when signing in. Along with the password, users need to enter the two-factor authentication (2FA) code generated by the app on users’ iPhones which works offline as well and does not require a network or cellular connection to generate the verification code. 

Google Authenticator app

Users will have access to Google Authenticator app’s 2FA codes even when their iPhones are lost

Previously, the Google Authenticator app only stored one-time codes on a single device which created an issue to access those codes if the device got lost or stolen and users could not sign in to any service on which they had set up 2FA via the app. 

Now the new Google Authenticator app version 4.0 resolves that problem with support for Google Account synchronization. One-time codes are stored in users’ Google Accounts for easy access across their devices. The change protects users from being locked out of services and enhances their security and convenience.

We released Google Authenticator in 2010 as a free and easy way for sites to add “something you have” two-factor authentication (2FA) that bolsters user security when signing in. While we’re pushing towards a passwordless future, authentication codes remain an important part of internet security today, so we’ve continued to make optimizations to the Google Authenticator app.

[Update; April 27, 2023: Researchers at Mysk security have found that the 2FA codes being synced to the cloud are not protected with end-to-end encryption creating a security risk. They wrote on Twitter that;

“We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. This means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.”

Mysck further explained that the unencrypted traffic contained a “seed” that generates the 2FA codes and anyone with access to that seed was capable of breaking into accounts by generating their own codes for the same accounts.

Google authenticator

Furthermore, the new update also brings a new icon, illustrations, and improved UI. The release notes read:

Cloud syncing: Your Authenticator codes can now be synced to your Google Account and across your devices, so you can always access them even if you lose your phone.

New icon and illustrations: The app has been updated with a new icon and illustrations that are more modern and user-friendly

Improved UX and visuals: We’ve made the app easier to use and more visually appealing

Existing users can update their Google Authenticator app to enjoy Google Account synchronization and new users can download the app from the App Store. It is compatible with iPhone, iPad, and iPod touch and requires iOS 13.0 or later. The Android version of the app also features the new changes.

About the Author

Addicted to social media and in love with iPhone, started blogging as a hobby. And now it's my passion for every day is a new learning experience. Hopefully, manufacturers will continue to use innovative solutions and we will keep on letting you know about them.

Leave a comment