After 13 years, Google Authenticator has finally introduced cloud synchronization support, as reported by landian.news yesterday.
With cloud sync, users can now store all their TOTP/2FA information in their Google accounts, enabling cross-platform synchronization and quick data recovery in case of phone loss. However, Google Authenticator currently does not support end-to-end encryption (E2EE), meaning that if users enable sync, Google can access their TOTP/2FA information, potentially creating a security vulnerability.
Regarding the lack of E2EE support, Google engineers have explained that the new cloud sync feature aims to provide user protection while remaining practical and convenient. They acknowledge that E2EE is a powerful feature for additional protection, but its downside is that if users forget or lose their Google account password, they won’t be able to recover their data.
In simpler terms, Google believes that if encryption is used and users cannot access their accounts due to issues, Google will not be able to help users decrypt the data. This reasoning may seem somewhat tenuous, considering that mainstream password managers and built-in browser password management systems require setting a master key, which, if lost, renders data irrecoverable. However, this should not be a reason for Google to avoid supporting E2EE.
Google has also promised to provide E2EE support in the future if users express the need. Once E2EE encryption is enabled, no one but the user will be able to access their authentication information, including Google.
Additionally, Google reminds users concerned about privacy to consider not enabling the sync feature, which is not enabled by default. Theoretically, only completely offline storage is the most secure; otherwise, if a user’s Google account is hacked, all authentication information could be leaked.