Google has just added a synchronisation feature to its two-factor authentication app for Android and iOS. The Google Authenticator app can backup one-time access codes (or OTP) into your Google account, making it easier to manage and use the codes across different devices and services. This OTP synchronisation is completely optional, and Google isn’t providing any additional security measures. A researcher on defcon.social recommends to not use the synchronisation feature as they have discovered that the network traffic for syncing the secrets is not end-to-end encrypted. This means that Google can see the secrets, likely even while they’re stored on their servers. There is also no option to add a passphrase to protect the secrets, to make them accessible only by the user.
https://defcon.social/@mysk/110262313275622023
This segment was created for the It’s 5:05 podcast