- Google rolled out a new feature for its Authenticator app that syncs the app across devices.
- Security researchers found that the new feature doesn’t have end-to-end encryption.
- The researchers recommend avoiding the feature for now.
Update, April 26, 2023 (03:29 PM ET): Christiaan Brand — who holds the title of Product Manager: Identity and Security at Google — took to Twitter to explain the news story below. His statement (broken up over four tweets) is reposted here for clarity:
We’re always focused on the safety and security of Google users, and the newest updates to Google Authenticator was no exception. Our goal is to offer features that protect users, BUT are useful and convenient. We encrypt data in transit, and at rest, across our products, including in Google Authenticator. E2EE [end-to-end encryption] is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery. To make sure we’re offering users a full set of options, we’ve started rolling out optional E2E encryption in some of our products, and we have plans to offer E2EE for Google Authenticator down the line. Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use. However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves.