Google announced a significant update to its Authenticator app for Android and iOS on Monday, introducing an account synchronization option that allows users to back up their time-based one-time passwords (TOTPs) to the cloud.
Enhanced protection and convenience
“This change means users are better protected from lockout and that services can rely on users retaining access, increasing both convenience and security,” said Google’s Christiaan Brand.
The update not only brings a new icon to the two-factor authenticator (2FA) app but also introduces a feature similar to Apple’s iCloud Keychain for TOTP codes. This addresses a long-standing issue where the Authenticator app was tied to the device it was installed on, causing difficulties when switching between phones and managing TOTP codes.
Previously, users who lost access to their devices entirely “lost their ability to sign in to any service on which they’d set up 2FA using Authenticator.”
Optional cloud sync feature
The cloud sync feature is optional, which means users can choose to use the Authenticator app without linking it to a Google account. However, it’s essential to remember the potential risks associated with cloud backups, as a malicious actor with access to a Google account could exploit it to breach other online services.
This development follows Proton, a Swiss privacy-focused company with over 100 million active accounts, unveiling an end-to-end encrypted password manager solution called Proton Pass.
The open-source and publicly auditable tool uses the bcrypt password hashing function and a hardened version of the Secure Remote Password (SRP) protocol for authentication, with 2FA integration included.
Upcoming End-to-End encryption
Google plans to offer end-to-end encryption (E2EE) support for its cloud sync feature after security researchers at Mysk and Sophos highlighted potential security concerns when syncing 2FA tokens across devices. The company noted that data is encrypted in transit and at rest, including within the Authenticator app. Google added, “E2EE is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery.”