Google Authenticator to get E2EE following complaints it is now less secure

A padlock icon next to a person working on a lapto
(Image credit: Shutterstock)

It appears the new 2FA account cloud-syncing feature in Google Authenticator isn't end-to-end encrypted, but this feature will be coming at a later date.

Google recently updated its authenticator app to allow users to back up their saved accounts that require a Time-based One Time Passcode (TOTP) to authenticate their login, meaning that they can now easily transfer them to a new device. 

However, security researchers Mysk sent out a tweet advising against turning on this functionality, as it isn't end-to-end encrypted, meaning that Google or a third-party if the tech giant is breached, could see your codes. 

Convenience trade-off

End-to-end encryption is a security and privacy enhancing feature that obfuscates sensitive content so that it can only be decoded with a key, such as a password. For instance, it is the cornerstone of popular messaging app such as WhatsApp, ensuring that content can only ever be seen by the sender and receiver - not even WhatsApp itself can take a peek. 

Christiaan Brand, Product Manager for identity and Security, defended the omission by saying that the tech giant's "goal is to offer features that protect users, BUT are useful and convenient."

He added that "We encrypt data in transit, and at rest, across our products, including in Google Authenticator. E2EE... provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery."

However, he also said that E2EE will be coming to various Google products, including now the authenticator, sometime "down the line". He noted too that the app can still be used offline without having to sync 2FA accounts to their Google Account. 

If you are using the Google Authenticator, then you may be using it conjunction with the Google Password Manager. While it isn't our choice as the best password manager, it does allow for on-device encryption, which means that your own device stores the key internally to unlock access to your vault. Also, Google says that this key is used to "lock your passwords before they’re saved to Google Password Manager", which means that, like end-to-end encryption, your passwords cannot be seen Google or anyone else but you. 

Google does caution, though, that this means that "if you lose the key, you could lose your passwords too.” But this on-device decryption could be part of the push from Google and other big tech firms to ditch passwords altogether in favor of passkeys, which they want to be future of credential security.

Lewis Maddison
Staff Writer

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers. 

His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.

He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.