Google Authenticator doesn’t feature end-to-end encryption

Google’s new two-factor authentication tool has been discovered not to offer end-to-end encryption, which could lead to security risks.

The Authenticator app works by providing unique codes for websites required as a second layer of protection on top of user passwords. Earlier this week, Google announced that users would now be able to sync Authenticator to a Google account and use it across multiple devices. This move from the tech giant eliminates the risk of being locked out of your account via a misplaced phone.

However, when security researchers and app developers for the software company Mysk dug deeper into the change, they noticed that the underlying data wasn’t end-to-end encrypted. The company would go on to explain on Twitter that Google is able to see ‘secrets’ likely even while they’re stored on their servers. The word ‘secrets’ in the world of security is used to describe credentials that work as a key to unlock an account or a tool.

This opens up the possibility for Google to get a glimpse at users’ apps and data for the purpose of targeted ads.

The full tweet from Mysk detailing its concern can be found below:

Users can use Authenticator without connecting it to their Google account or by syncing it across other devices as a means to bypass the issue. The downside of this is that it effectively renders the newest update useless.

Google might not be the only one who can see your data. The tests conducted found that unencrypted traffic contains a seed that generates the two-factor authentication codes, and according to researcher Tommy Mysk, anyone with that seed can generate codes that can be used to breach your account.

The discovery is concerning, considering the company has taken steps with similar tools to prevent data spying.

Google has yet to comment on the issue and has not announced plans to add password protection to Authenticator.

Image credit: Google

Source: @mysk_co Via: Gizmodo

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TheDailyCheck is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected] The content will be deleted within 24 hours.