The Google Authenticator is not free of criticism and omissions. For example, the demand for a function that allows secret seeds to be synchronized for other devices has become ever louder. However, Google has failed to incorporate E2E encryption. This is now to be retrofitted.
Plain text for encryption
When people speak in plain language, something is expressed clearly and openly. If encryption speaks in plain text in the transmitted sense, this can be a security vulnerability. The secret seeds that the Google Authenticator uses to calculate the code for the second factor of 2FA encryption were previously transmitted in plain text. The problem: In theory, the plain text makes it possible to bypass multi-factor authentication and for the data to be tapped by middlemen. This only requires access to the relevant network. This is a welcome invitation for attackers to try to hack into the network. This makes two-factor authentication via the Google Authenticator more dangerous than before. Google itself could also easily access the data in its own network as it is available in plain text. Although it is unlikely that Google itself would tamper with this data, who knows where you can find black sheep everywhere who sense an opportunity to enrich themselves at the expense of others. Google itself has become directly aware of the problem and has responded to it. In a statement, it promised that the security of users always comes first and that it takes its responsibility for data very seriously. For this reason, the company is already thinking about ways to guarantee the protection of user data again. End-to-end encryption, or E2E encryption, is at the forefront of this. However, Google still sees some disadvantages for its users and therefore does not want to rush into anything.
E2E for Google products
End-to-end encryption is a popular system for handling sensitive data. It offers additional protection against attacks and unauthorized access to data. However, Google itself has so far been somewhat reluctant to use this method for its services. This is because users would no longer be able to access their data without restoring it, or would be locked out of their own data. Although this would close the security gap, the users themselves would then also be locked out. Of course, this is something you want to prevent. However, Google has already started to equip individual products with an option for E2E encryption. The Google Authenticator is not yet one of them, but is set to follow in the future. However, it is not clear exactly when this will be the case. Although Google considers E2E encryption to be a very strong and useful function, it does not appear to want to incorporate it directly into all products and applications. The Google Authenticator is apparently not at the top of the list of priorities, but will be at some point. In any case, end-to-end encryption will not become mandatory for Google’s products. It should remain optional so that users can manage their own backup strategies if they wish. However, the option is not yet available and the security gap remains open. For this reason, heise Security – which was among the first to report this problem – advises against using Google Authenticator for the time being. Instead, users should temporarily switch to an alternative. At least until E2E encryption is also available in Google Authenticator.
Conclusion
The Google Authenticator is currently struggling with a security vulnerability due to the lack of E2E encryption. This means that the protection of your own data is no longer guaranteed. For the time being, it is therefore advisable to use another form of multi-factor authentication. It is not known how long this situation will last. Google is aware of the problem and has already announced steps to restore the security of its users’ data. Until then, it is advisable to use another form of multi-factor authentication. For example, the Authenticator from Reiner SCT, which offers maximum security and has no security gaps.