- Security firm Slowmist has warned of “huge risks” associated with Google’s new 2FA cloud backup
- Google Authenticator users can now backup their 2FA ‘portfolio’ to the cloud and sync it to a new device
- This could backup may be more convenient, but it presents a new level of security risk
Security firm Slowmist has warned that Google’s new cloud backup feature for its Authenticator app represents “huge risks” to a user’s security. Google announced that, for the first time, a user’s two-factor authentication (2FA) codes will be backed up in the cloud, meaning that users won’t lose access if they lose their phone. While this is convenient, Slowmist has warned users that they risk compromising the mailbox associated with the backup should they choose to use the feature.
Cloud Backup Allows for Easy Sync
Google’s two-factor authentication has always been criticized because the generated codes are stored locally on the device, meaning that users cannot retrieve their codes if something happens to their phone. Google has sought to change this by introducing cloud backup, meaning a user’s 2FA code ‘portfolio’ can be synchronized back to a new device easily and quickly.
While this will be a boon to many, Slowmist has warned that it presents immediate security complications:
🚨SlowMist Security Alert🚨
Recently, @Google Authenticator iOS has launched version 4.0, which supports cloud synchronization. Users can synchronize the verification code generated by the authenticator to all Google accounts and devices, and can obtain the verification code at…
— SlowMist (@SlowMist_Team) April 25, 2023
These risks were outlined by the website The Hacker News, which pointed out that “it’s always worth keeping in mind the pitfalls associated with cloud backups, as a malicious actor with access to a Google account could leverage it to break into other online services.”
Anyone wanting to take advantage of the cloud update feature should ensure that their Google account is as secure as it can possibly be, as the risks of it not being so could be instantly extended to all sites with which the user utilizes two-factor authentication, leading to a potential compromising of crypto accounts.