I wrote about the new functionality of the Google Authenticator app yesterday – but said I was going to hold off advising clients to use this functionality until I had had a look at it. I just want to look at the functionality of this new service as it will be handling extremely sensitive one-time-passwords and other information.
Google Authenticator App gets an update and some advice on MFA – Smart Thinking Solutions
Today researchers at Mysk are voicing concerns that the information that is being backed-up and then shared across devices is being transmitted without encryption – so it is not secure. There is even speculation that the secret information may be being stored on Google servers unencrypted!
Google will add End-to-End encryption to Google Authenticator (bleepingcomputer.com)
Cyber Security 101 – encryption is essential for data in transit and data at rest.
So hold off on enabling back-up and sharing in the Google Authenticator app for a while while Google fixes this slip up.
Clive Catton MSc (Cyber Security) – by-line and other articles