the Google Authenticator app, which was updated earlier this week To allow cloud-based two-factor authentication (2FA) via your Google account, Not end-to-end encryptedAccording to software company Mysk.
“We analyzed the network traffic when the app syncs secrets, and it turns out that the traffic is not end-to-end encrypted,” Mysk said via Twitter, as reported by Gizmodo earlier Wednesday. As shown in the screenshots, this means that Google can see secrets, likely even while they are stored on their servers. There is no option to add a passphrase to protect secrets.
secrets Cyber security terminology To get a private piece of information used to unlock protected or sensitive information.
Google just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL; DR: Don’t turn it on.
The new update allows users to sign in with their Google accounts and sync two-factor authentication secrets across their iOS and Android devices … … pic.twitter.com/a8hhelupZR
– Misk 
(@mysk_co) April 26, 2023
Security researchers at Mysk recommend that people not turn on the ability to sync 2FA tokens across devices and the cloud.
The long-awaited 2FA feature allows you to continue accessing your codes even if your phone is lost or stolen. This means that Gmail, banking apps, or other services that allow 2FA can still access codes through your Google account even when your original device isn’t immediately available. Unfortunately, enabling the feature lacks the same level of encryption — at least for now.
“End-to-end encryption (E2EE) is a powerful feature that provides additional protection, but at the expense of enabling users to secure their private data without recovery,” a Google spokesperson told CNET via email. “To ensure that we offer a full range of options for users, we have also begun rolling out optional E2EE in some of our products, and we plan to offer E2EE for Google Authenticator in the future.”
Google says it introduced the feature in this initial way for convenience.
2FA gives you an extra layer of security on top of your passwords. The additional code generated via the Authenticator app can prevent bad actors from logging into your account using the password alone. But for big tech companies, passwords are ultimately a weak and ineffective way to keep accounts secure.
Google, Apple and Microsoft Together in the FIDO Alliance, an acronym for “Quick Online Identity”. The goal is to get websites to give up passwords for biometric logins instead. This can include a fingerprint scan or a face scan. It can also include checking the phone. Turning websites into a “passwordless future” will take time, and until then, two-factor authentication (2FA) will remain an important way to keep accounts secure.
ليست هناك تعليقات:
إرسال تعليق