Google is working on e2e encryption for Authenticator-2fa backup codes

The 2fa backup codes that Google’s Authenticator app can generate since this week are not end-to-end encrypted. Google confirms this after discovery by privacy researchers Mysk. Google says it is working on end-to-end encryption.

Data is stored encrypted during transmission and at rest, says Christian Brand, Group Product Manager at Google. However, this encryption is not end-to-end. Google says it has chosen this because end-to-end encryption has the risk that the user will be excluded from his or her data. The current implementation would therefore be a ‘right balance’ between security and ease of use, says Brand.

However, the company plans to release this end-to-end encryption, although Brand does not say when this would be. With the addition of end-to-end encryption, Google would like to ensure that users have “all options available to them”. Brand also points out that users can disable the cloud backup codes and thus use the app offline.

Brand’s tweets are a response to discoveries made by two privacy researchers who have united under the name of Mysk. Based on the network traffic, these researchers found out that the secrets to create a 2fa code are not sent with end-to-end encryption. Google or someone with access to Google’s data could see the secrets, the researchers say. The company released the cloud backup feature earlier this week.

(3/4) To make sure we’re offering users a full set of options, we’ve started rolling out optional E2E encryption in some of our products, and we have plans to offer E2EE for Google Authenticator down the line.

— Christian Brand (@christiaanbrand) April 26, 2023