The danger with Google’s new cloud backup for 2FA authenticator

The danger with Google’s new cloud backup for 2FA authenticator

April 25. 2023

By Tom Mitchelhill

Google’s new 2FA authenticator update could leave users vulnerable to single-point hacks and “SIM swapping” scams.

Google released an update for its popular authenticator app that stores a “one-time code” in cloud storage, allowing users who have lost the device with their authenticator on it to retain access to their two-factor authentication (2FA).

In an April 24 blog post announcing the update, Google said the one-time codes will be stored in a user’s Google Account, claiming that users would be “better protected from lockout” and it would increase “convenience and security.”

In an April 26 Reddit post to the r/Cryptocurrency forum, Redditor u/pojut wrote that while the update does assist those who lose the device with their authenticator app on it, it also makes them more vulnerable to hackers.

By securing it in cloud storage associated with the user’s Google account, it means that anyone who can gain access to the user’s Google password would then subsequently obtain full access to their authenticator-linked apps.

The user suggested that a potential way around the SMS 2FA issue is to use an old phone that is exclusively used to house your authenticator app.

“I’d also strongly suggest that, if possible, you should have a separate device (perhaps an old phone or old tablet) whose sole purpose in life is to be used for your authentication app of choice. Keep nothing else on it, and use it for nothing else.”