Mastodawn

Blake Ashley Jr.Apr 26, 2023

Mysk🇨🇦🇩🇪

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.

TL;DR: Don't turn it on.

The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.

We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

Why is this bad?

Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵

#Privacy #Cybersecurity #InfoSec #2FA #Google #Security

Mysk🇨🇦🇩🇪Apr 26, 2023

.... if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.

Also, 2FA QR codes typically contain other information such as account name and the name of the service (e.g. Twitter, Amazon, etc). Since Google can see all this data, it knows which online services you use, and could potentially use this information for personalized ads.
Surprisingly, Google data exports do not include the 2FA secrets that are stored in the user's Google Account. We downloaded all the data associated with the Google account we used, and we found no traces of the 2FA secrets.

The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy. Fortunately, Google Authenticator still offers the option to use the app without signing in or syncing secrets. We recommend using the app without the new syncing feature for now.

#Privacy #Cybersecurity #InfoSec #2FA #Google #Security

Mysk🇨🇦🇩🇪Apr 26, 2023

Google responded:

oci3o Apr 26, 2023

@mysk I don't buy this 100%

Why couldn't they put the option in at launch? Or do like they do in Chrome and use your Google account to decrypt if it's for convenience?

There's no way the Authenticator team didn't see this coming...

🆘Bill Cole 🇺🇦Apr 26, 2023

@mysk Well, THAT’s not the truth… You pulled that seed right out of the network stream…

@mysk "Strikes the right balance" of the number of employees and systems that gain access to your 2FA secrets...

Amazing.

Orca 🌻 | 🎀 | 🪁 | 🏴🏳️‍⚧️Apr 26, 2023

@mysk How could someone lock themself out when transfering 2fa secrets to another device?

snaeqe Apr 26, 2023

@mysk
Now what's the difference he's riding between E2E and E2EE? I've only heard both being used synonymously..

Talya (she/her) 🏳️‍⚧️✡️Apr 27, 2023

@mysk
reupload with image description:

#Google #GoogleAuthenticator
#2FA #MFA

Jochen Wolters Mar 5, 2024

@mysk Just another serving of the usual Big Tech “Just trust us; we know what we’re doing.” 🙄

jomo Apr 26, 2023

@mysk tl;dr: Syncing your shit with Google allows Google to see your shit. News at eleven.

Honestly, who would add their Google account to an app to sync its data and then expect privacy?

alcinnz Apr 26, 2023

@jomo @mysk It is perfectly possible Google, or anyone else, to implement syncing without letting themselves see the data. This is not a "well, duh!" situation.

And given authentication is a very security-sensitive field we should be able to expect more from Google here!

Bèr Kessels 🐝 🚐 🏄 🌱Apr 26, 2023

@alcinnz @jomo @mysk indeed. E2E encryption would not only be relatively easy, it is to be expected and common in this area.

Julian Andres Klode 🏳️‍🌈Apr 26, 2023

@alcinnz @jomo @mysk In order to be able to encrypt stuff you need a key of some sort. If the app doesn't ask for a key, then sure, yes, it's a well duh situation.

The same applies to their password manager which is also not E2EE. They store passwords encrypted with an online key they control lol.

To be fair, storing passwords unencrypted in your Google account is usually not much of an issue because you can just request password reset emails to the Gmail anyway if you pwned the account.

nhan Apr 26, 2023

@jomo @mysk There are people who just don't know or not educated enough about privacy.

oci3o Apr 26, 2023

@nhan @jomo @mysk Additionally, its "promoted" on loads of Authenticator setups, a lot of people thing Authenticator = Google Authenticator.
The amount of times I have tried push people in the IT field to better solutions (Yubikeys or things like Aegis), and they go yeah but Googles works fine...

nhan Apr 26, 2023

@oci3o @jomo @mysk I think we all agree that it's a spectrum and there's tradeoff between security and inconvenience. They may be at different risk tolerant level than you are. I think Google Authenticator is a nice balance for the public. If whatever you do require more security you're probably actively equipping yourself with that knowledge and device.

oci3o Apr 26, 2023

@nhan @jomo @mysk 100%, threat models between everyone differ, however if E2EE was enabled with this, it could be a good solution for most people, however then you risk issues if your Google account gets taken over etc.
Advanced Protection could help, IF google enables E2EE, but we are going outside 95% of the populations tolerance here.

nhan Apr 26, 2023

@oci3o @jomo @mysk I agree the if your Google account is taken over it'd be catastrophic. However, to gain access to your Google account you need 2FA in the first place.

Advanced Protection is a bit much for me. (Btw I have no IT security knowledge). Also Google is heading towards a passwordless future and this 2FA code is just a transition phase.

Arctic (back up - see pinned)Apr 26, 2023

@jomo @mysk because this is a matter of security not privacy. What Google is doing here is simply stupid.

Sören Apr 26, 2023

@jomo @mysk the thing is, 2FA keys in iCloud Keychain are E2EE. So it can absolutely be done.

(Does anyone know if Authy uses E2EE?)

femaven Apr 27, 2023

@chucker @jomo @mysk or 1pass for their 2fa?

Stone Bear Apr 26, 2023

@jomo @mysk WAY too many people don't think the way we do. I would never do that just on principle, but they *pay me* to be a paranoid BOFH, and I don't put that habit away when quittin' time comes around.

I agree, giving Google more info than is necessary is unthinkable... but this implies the *think*... and thereby hangs a tail... [stet]

Mark Levison Apr 26, 2023

@mysk or don’t use Google Authenticator

Eric Carroll Apr 26, 2023

@mlevison
Yubikey authenticator. No on-phone secrets!

(Yubikey not included)
@mysk

oci3o Apr 26, 2023

@EricCarroll @mlevison @mysk problem with Yubikeys for a lot of less "technically" minded people is A: they will loose it B: why spend £100+ on x2 keys and C: they cant be arsed.
Plus personally, Yubikey for me is a high risk account thing, I don't use it on services I don't care about loosing, but they are still protected using say Aegis.

femaven Apr 27, 2023

@EricCarroll @mlevison @mysk I might go down this route but I think a lot of 2fa compatible stuff is not FIDO compatible but that’s not something I’ve looked closely into

Topher 🌱🐧💚Apr 26, 2023

Naturally all of this surprises me exactly 0%

Ezra 🛰️🚀🧑‍🚀Apr 26, 2023

@mysk Right. Don’t use Google for this. Use 2FAS instead. https://2fas.com/

2FA Authenticator App (2FAS)

2FAS (2FA Authenticator App). Protect your accounts and online services.

2FAS.com

Olivier Forget Apr 26, 2023

@ezrabowman @mysk oh nice I've been meaning to look for an alternative. This looks better anyways from a basic usability pov. Like they have search? Been hoping g would add that. I guess I don't have to wait now.

Need to look at how syncing works though.

Ezra 🛰️🚀🧑‍🚀Apr 26, 2023

@teleclimber @mysk it syncs via iCloud and allows import/export.

CoastalCoasting Apr 26, 2023

@mysk For the technologically impaired, how would someone locate this option to ensure their settings please?

James Gallagher Apr 26, 2023

@CoastalCoasting @mysk - Installing it on Android just now, the functionality wasn’t there
- Updating on iOS brought the functionality and there was a wizard which prompted. I chose not to. In the UI I see a sync icon (cloud with diagonal line through it) and a Google profile seletion icon (person icon). It appears to be through that where you can choose to sync or not

CoastalCoasting Apr 27, 2023

Thank you!

maya_b 🇨🇦Aug 31, 2023

@james @CoastalCoasting @mysk yikes mine was enabled by default! Just set it to work without account and it claims it’s being deleted from my Google account. Sigh. Time to change all the 2FA on everything my and use a different app.

femaven Apr 27, 2023

@CoastalCoasting @mysk in iOS click on your avatar in the top right, it’ll tell that it’s opt out

CoastalCoasting Apr 27, 2023

Thank you!

femaven Apr 27, 2023

@CoastalCoasting @mysk e2e encryption is planned for the “future” https://www.theverge.com/2023/4/27/23700612/google-authenticator-end-to-end-encryption-e2ee

Google plans to add end-to-end encryption to Authenticator

Google says it will bring end-to-end encryption to Google Authenticator’s new account-syncing feature after facing criticism for not including it with the update.

The Verge

CoastalCoasting Apr 28, 2023

Really appreciate you thanks!

M. Forester Apr 26, 2023

@mysk I recommend migrating to free and open source alternative Aegis, available on the Play store and F-Droid.
Migration is simple, but requires an external camera. Aegis can backup your 2FA codes to the cloud and supports encryption out of the box.

al Apr 26, 2023

@mysk is it still possible to export via QR codes like in the previous versions (v3.4.0 or earlier)?

I haven't updated to v4.0.0 yet for these reasons.

Softwarewolf Apr 26, 2023

@mysk We know Google is evil, but they are supposed to be *competently* evil.

Tofu Golem Apr 26, 2023

@mysk
Ugh. Must everything be more difficult?

Coffee Apr 26, 2023

@mysk I have solved the problem they were trying to address with this update by getting a cheap discardable Android phone with the sole purpose of installing the Authenticator and regularly backing up the secrets from my primary phone onto it.
It lives in my drawer powered off, and it's already saved my skin once when my main phone decided to not turn on anymore.

Resuna Apr 26, 2023

@mysk Also they can be sniffed.

@mysk I'd rather recommend to avoid it at all costs and choose a non-proprietary #2FA method like #HOTP (#RFC4226) & #TOTP (#RFC6238)...

Like FreeOTP+ does:
https://f-droid.org/en/packages/org.liberty.android.freeotpplus/

FreeOTP+ | F-Droid - Free and Open Source Android App Repository

Verbesserter Fork von FreeOTP - Eine funktionsreiche App zur 2FA-Authentifikatio

Kara Danvers 🇺🇦

@mysk suck to sucks for google, been using MS Auth for about a year now and love it - i might try it again

sirjofri Apr 26, 2023

@karadanvers @mysk when I export my MS auth data, does it contain the totp secrets? Asking because of backup and potential move to my own totp generator

Kara Danvers 🇺🇦

@sirjofri @mysk no idea you'll have to experiment

@mysk Thanks for the warning. I use it, so I'll be sure cloud sync isn't enabled when it updates on my phone. #2FA #Google

kajer :notverified:Apr 26, 2023

@mysk I thanked LastPass for letting me get those seeds when I migrated all of my data out of their platform years ago... Being able to stop using anything lastpass was Priority #1, then re-keying my TOTPs was #2 along with changing passwords...

I still don't use google authenticator and was wondering if the seeds were user readable after this change.... I guess they are if you intercept payloads.

Pusher Of Pixels (old account)Apr 26, 2023

@mysk Layman question - is the sync of 2FA secrets 'opt in' or automatically happening?

Mysk🇨🇦🇩🇪Apr 26, 2023

@pixelpusher220 The app prompts you to enable syncing. You can dismiss it and continue using the app without syncing the secrets. You can change that in the settings too.

Erik Lyden Apr 26, 2023

@mysk have you seen the same behavior with Authy?

Michael Vilain Apr 26, 2023

@mysk Authy asks for a password occasionally (so you don't forget it). I stopped using Google Authenticator a while ago.