PSA: Google Authenticator's Cloud-Synced 2FA Codes Aren't End-to-End Encrypted

by

Earlier this week, Google updated its Authenticator app to enable the backup and syncing of 2FA codes across devices using a Google Account. Now an examination by Mysk security researchers has found that the sensitive one-time passcodes being synced to the cloud aren't end-to-end encrypted, leaving them potentially exposed to bad actors.

google authenticator
Prior to the integration of Google Account support, all codes in the Google Authenticator app were stored on device, which meant that if the device was lost, so too were the one-time passcodes, potentially causing loss of account access as well. But it seems that by enabling cloud-based syncing, Google has opened up users to a security risk of a different sort.

"We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted," said Mysk via Twitter. "This means that Google can see the secrets, likely even while they're stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user."

"Secrets" is a term used to refer to private pieces of information that act as keys to unlock protected resources or sensitive information; in this case, one-time passcodes.

Mysk said that its tests found the unencrypted traffic contains a "seed" that's used to generate the 2FA codes. According to the researchers, anyone with access to that seed can generate their own codes for the same accounts and break in to them.

"If Google servers were compromised, secrets would leak," Mysk told Gizmodo. Since the QR codes involved with setting up two-factor authentication contain the name of the account or service, the attacker can also identify the accounts. "This is particularly risky if you're an activist and run other Twitter accounts anonymously," added the researchers.

Mysk subsequently advised users not to enable the Google account feature that syncs 2FA codes across devices and the cloud.


Responding to the warning, a Google spokesperson told CNET it had added the sync feature early for convenience's sake, but that end-to-end encryption is still on its way:

End-to-End Encryption (E2EE) is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery. To ensure that we're offering a full set of options for users, we have also begun rolling out optional E2EE in some of our products, and we plan to offer E2EE for Google Authenticator in the future."

Until that happens, there are alternative services for syncing authentication codes across devices, such as Apple's own 2FA code generator and third-party apps like Authy.

Tags: Encryption, Google, Security, Two-Factor Authentication

Popular Stories

Apple Logo Zoomed

Tim Cook Teases Plans for Apple's Upcoming 50th Anniversary

Thursday February 5, 2026 12:54 pm PST by
Apple turns 50 this year, and its CEO Tim Cook has promised to celebrate the milestone. The big day falls on April 1, 2026. "I've been unusually reflective lately about Apple because we have been working on what do we do to mark this moment," Cook told employees today, according to Bloomberg's Mark Gurman. "When you really stop and pause and think about the last 50 years, it makes your heart ...
Read Full Article148 comments
wwdc sans text feature

Apple Rumored to Announce New Product on February 19

Thursday February 5, 2026 12:22 pm PST by
Apple plans to announce the iPhone 17e on Thursday, February 19, according to Macwelt, the German equivalent of Macworld. The report, citing industry sources, is available in English on Macworld. Apple announced the iPhone 16e on Wednesday, February 19 last year, so the iPhone 17e would be unveiled exactly one year later if this rumor is accurate. It is quite uncommon for Apple to unveil...
Read Full Article
Finder Siri Feature

Why Apple's iOS 26.4 Siri Upgrade Will Be Bigger Than Originally Promised

Friday February 6, 2026 3:06 pm PST by
In the iOS 26.4 update that's coming this spring, Apple will introduce a new version of Siri that's going to overhaul how we interact with the personal assistant and what it's able to do. The iOS 26.4 version of Siri won't work like ChatGPT or Claude, but it will rely on large language models (LLMs) and has been updated from the ground up. Upgraded Architecture The next-generation...
Read Full Article154 comments
iOS 26

iOS 26.3 and iOS 26.4 Will Add These New Features to Your iPhone

Tuesday February 3, 2026 7:47 am PST by
While the iOS 26.3 Release Candidate is now available ahead of a public release, the first iOS 26.4 beta is likely still at least a week away. Following beta testing, iOS 26.4 will likely be released to the general public in March or April. Below, we have recapped known or rumored iOS 26.3 and iOS 26.4 features so far. iOS 26.3 iPhone to Android Transfer Tool iOS 26.3 makes it easier...
Read Full Article37 comments
iphone 17 pro dark blue 1

iPhone 18 Pro Max Rumored to Deliver Next-Level Battery Life

Friday February 6, 2026 5:14 am PST by
The iPhone 18 Pro Max will feature a bigger battery for continued best-in-class battery life, according to a known Weibo leaker. Citing supply chain information, the Weibo user known as "Digital Chat Station" said that the iPhone 18 Pro Max will have a battery capacity of 5,100 to 5,200 mAh. Combined with the efficiency improvements of the A20 Pro chip, made with TSMC's 2nm process, the...
Read Full Article107 comments

Top Rated Comments

icanhazmac Avatar
icanhazmac
37 months ago
Shocking! /s

This, along with the privacy scorecard, makes this a hard pass.




Keep in mind, this is an authenticator app, what could it possibly need all that identifiable data for besides wholesale collection? This is basically spyware!

Attachment Image
Score: 16 Votes (Like | Disagree)
szw-mapple fan Avatar
szw-mapple fan
37 months ago
Way top destroy the reputation of this service by launching early. End-to-end encryption for 2FA Codes is a must and should be ready on day one. This not only demonstrates that the service itself might be vulnerable but also that Google is not serious about security and encryption and only implementing it as kind of an afterthought.
Score: 11 Votes (Like | Disagree)
andrewxgx Avatar
andrewxgx
37 months ago
so you can encrypt passwords with separate password, but cant encrypt 2FA seeds?
comedy gold
Score: 10 Votes (Like | Disagree)
mystery hill Avatar
mystery hill
37 months ago
iCloud Keychain is really good if you’re only using Apple devices - it auto fills and is end-to-end encrypted.
Score: 8 Votes (Like | Disagree)
sw1tcher Avatar
sw1tcher
37 months ago

Shocking! /s

This, along with the privacy scorecard, makes this a hard pass.




Keep in mind, this is an authenticator app, what could it possibly need all that identifiable data for besides wholesale collection? This is basically spyware!
Wait until you see how much data is linked to you from this "wholesale collection" app :p

https://apps.apple.com/us/app/apple-music/id1108187390



Attachment Image
Score: 7 Votes (Like | Disagree)
szw-mapple fan Avatar
szw-mapple fan
37 months ago

Wait until you see how much data is linked to you from this "wholesale collection" app :p

https://apps.apple.com/us/app/apple-music/id1108187390


To be fair, Apple Music is also a music store with social media features and provides personalized music recommendations. It needs to collect/store most of these kinds of info since it literally needs them to function. An authenticator app should require none of these things. If you look at Apple apps that don't need these data and compare them with similar apps in the same category, Apple's data collection is typically minimal.

For example,

Apple Mail:



Versus Gmail:



Attachment Image

Attachment Image
Score: 7 Votes (Like | Disagree)
Read All Comments