Google Authenticator is not your friend

SkypLabs published on
3 min, 450 words

Categories: News

Tags: 2FA MFA Security Privacy

The Google Authenticator mobile application has been around for more than a decade, allowing to generate Time-based One Time Passwords (TOTP) locally on platforms such as Android and iOS. A few days ago, an update was released adding a couple of new features, including the possibility to synchronise your TOTP secrets with Google.

Even more data sent to Google

The synchronisation feature has been under the spotlight recently, as it has been proven that the TOTP secrets are not sent end-to-end encrypted (E2EE) to Google. This poses both security and privacy issues, as Google would know the list of all your online accounts for which you have enabled TOTP Two-Factor Authentication (2FA), giving them another opportunity to produce an even more complete picture of your online activities, but it also increases the number of threats to your digital life as your TOTP secrets can be stolen if either your Google account or Google’s infrastructure is compromised.

Our recommendation

Two criteria should be prioritised when choosing an online service for storing and processing sensitive data, and they can be expressed as the form of the following questions: is the data sent end-to-end encrypted before leaving your device and is the software processing your data open-source?

E2EE increases significantly your privacy and security, as the online services you send data to won’t be able to spy on you, nor any potential attacker exploiting a security breach in those online services. Additionally, if the software sending your data is open-source, it means it can be audited by security experts, guaranteeing the absence of security flaws and backdoors.

ente Authenticator ticks the boxes by providing a way to synchronise your TOTP secrets easily while protecting your accounts and respecting your privacy. Their implementation of E2EE has been audited by Cure53 and Symbolic Software, and “together they have certified that ente’s architecture is sound and that [their] implementation across all clients is cryptographically accurate”. As of today, this service is free of charge.

Conclusion

As explained earlier in this post, using the synchronisation feature of Google Authenticator poses security and privacy issues, and is therefore discouraged. We recommend people use user-respecting software like ente Authenticator or equivalent.