Search giant Google on Monday unveiled a major update to its 12-year-old Authenticator app for Android and iOS with an account synchronization option that allows users to back up their time-based one-time passwords (TOTPs) to the cloud.
"This change means users are better protected from lockout and that services can rely on users retaining access, increasing both convenience and security," Google's Christiaan Brand said.
The update, which also brings a new icon to the two-factor authenticator (2FA) app, finally brings it in line with Apple's iCloud Keychain and addresses a long-standing complaint that it's tied to the device on which it's installed, making it a hassle when switching between phones.
Even worse, as Google puts it, users who lose access to their devices completely "lost their ability to sign in to any service on which they'd set up 2FA using Authenticator."
The cloud sync feature is optional, meaning users can opt to use the Authenticator app without linking it to a Google account.
That said, it's always worth keeping in mind the pitfalls associated with cloud backups, as a malicious actor with access to a Google account could leverage it to break into other online services.
The development comes days after Swiss privacy-focused company Proton, which surpassed 100 million active accounts last week, unveiled an end-to-end encrypted password manager solution called Proton Pass.
The open source and publicly auditable tool, which makes use of the bcrypt password hashing function and a hardened version of the Secure Remote Password (SRP) protocol for authentication, also comes with 2FA integration.
Update
Google said it plans to offer end-to-end encryption (E2EE) support for its cloud sync feature after security researchers at Mysk and Sophos pointed out potential security concerns with enabling the option to sync 2FA tokens across devices.
The company noted that the data is encrypted in transit and at rest, including the Authenticator app, adding "E2EE is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery."
