If anyone is using Google Authenticator you might not want to enable the new sync feature as it might not encrypt the info.
I've been meaning to move to something different (Authy?) anyway since there's no way to lock the app itself.
https://gizmodo.com/google-authentic...ted-1850377102
Quote:
On Monday, Google announced a long-awaited feature, which lets you sync Authenticator to a Google account and use it across multiple devices. That’s great news because in the past, you could end up locked out of your account if you lost the phone with the authentication app installed.
But when app developers and security researchers at the software company Mysk took a look under the hood, they found the underlying data isn’t end-to-end encrypted.
“We tested the feature as soon as Google released it. We realized that the app didn’t prompt or offer an option to use a passphrase to protect the secrets,” the company wrote on Twitter.
“We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted,” the company added added. “As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers.”
|