Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Google Authenticator's mysterious security update does not enable end-to-end encrypti
#1
Exclamation 
Quote:Google has released a new update for its Google Authenticator application. The changelog reveals that Google "added device encryption to storage of secret value". Users who have hoped that Google would integrate end-to-end encryption to the application will be disappointed, as this is still not the case.

Google Authenticator was updated about a month ago. The main new feature that Google integrated into the application was two-factor authentication syncing. The applications syncs the stored data with a user's other devices, when turned on.

[Image: How-to-set-up-sync-in-google-authenticator-app.jpg]

While that sounds like a good usability improvement, as it means that users do not have to set up the functionality on all their devices manually, it turned out that Google did not implement end-to-end encryption of the data. In other words: attackers, for instance by using man-in-the-middle attacks, may read the secrets; this would give them access to the codes generated. A secret, or seed, is used to generate one-time codes for specific services or apps.

We advised Google Authenticator users to keep the feature turned off, or use a different authenticator application instead. End-to-end encryption encrypts the data on the user's device, so that sensitive information are protected.

The latest changelog of Google's Authenticator app suggests that Google has integrated the feature into the app. Tests, by the German Heise publisher, and confirmed by us, do not confirm the change. The changelog message, Added device encryption to storage of secret values, must mean something else then, but it is unclear what it does exactly.

Accounts added to Google Authenticator are synced to the cloud using TLS encryption. An inspection of the data reveals that the seeds are still Base32 encoded. Base32 can be decoded easily. Proper end-to-end encryption would not reveal any seed data, or any other data for the matter, thanks to the use of encryption.

Google Authenticator users should keep the cloud syncing functionality of the application turned off as a consequence.
...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
The slowest Meteor Lake spotted: Intel C...
Intel Core Ultra 5...harlan4096 — 12:47
Microsoft Edge fixes 0-day vulnerability...
Microsoft released...harlan4096 — 10:12
AnyDesk 8.0.9
AnyDesk 8.0.9:   ...harlan4096 — 10:10
AMD Confirms RDNA 3+ GPU Architecture F...
AMD Zen5-based Strix...harlan4096 — 10:08
Adobe Acrobat Reader DC 24.001.20629 (Op...
Adobe Acrobat Read...harlan4096 — 10:06

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>