Google Authenticator app for iOS has been updated with Google Account to back up and sync one-time access codes across devices.
Designed as an additional layer of security for users’ online accounts, the Google Authenticator app adds a second verification step when signing in. Along with the password, users need to enter the two-factor authentication (2FA) code generated by the app on users’ iPhones which works offline as well and does not require a network or cellular connection to generate the verification code.
Users will have access to Google Authenticator app’s 2FA codes even when their iPhones are lost
Previously, the Google Authenticator app only stored one-time codes on a single device which created an issue to access those codes if the device got lost or stolen and users could not sign in to any service on which they had set up 2FA via the app.
Now the new Google Authenticator app version 4.0 resolves that problem with support for Google Account synchronization. One-time codes are stored in users’ Google Accounts for easy access across their devices. The change protects users from being locked out of services and enhances their security and convenience.
We released Google Authenticator in 2010 as a free and easy way for sites to add “something you have” two-factor authentication (2FA) that bolsters user security when signing in. While we’re pushing towards a passwordless future, authentication codes remain an important part of internet security today, so we’ve continued to make optimizations to the Google Authenticator app.
[Update; April 27, 2023: Researchers at Mysk security have found that the 2FA codes being synced to the cloud are not protected with end-to-end encryption creating a security risk. They wrote on Twitter that;
“We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. This means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.”
Mysck further explained that the unencrypted traffic contained a “seed” that generates the 2FA codes and anyone with access to that seed was capable of breaking into accounts by generating their own codes for the same accounts.
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.… pic.twitter.com/a8hhelupZR
— Mysk 🇨🇦🇩🇪 (@mysk_co) April 26, 2023
Furthermore, the new update also brings a new icon, illustrations, and improved UI. The release notes read:
Cloud syncing: Your Authenticator codes can now be synced to your Google Account and across your devices, so you can always access them even if you lose your phone.
New icon and illustrations: The app has been updated with a new icon and illustrations that are more modern and user-friendly
Improved UX and visuals: We’ve made the app easier to use and more visually appealing
Existing users can update their Google Authenticator app to enjoy Google Account synchronization and new users can download the app from the App Store. It is compatible with iPhone, iPad, and iPod touch and requires iOS 13.0 or later. The Android version of the app also features the new changes.