Google is now offering easier access to digital accounts that are protected by its Google Authenticator app by synchronising the one-time access codes it generates on the cloud, even as this raises some questions on security.
So, instead of being locked out of an account if they lose their phone, users can get on their Google account and access the same codes to get back into, say, their Instagram or Adobe account.
Google Authenticator is a much-used two-factor authentication (2FA) app that helps users better secure their digital accounts. It acts as a second layer of defence even if a hacker has stolen their passwords.
To log in to an account, users access the app on their phone for a one-time code that is generated on-screen. They then type that in to get into an account that is protected by 2FA security.
Now, Google is letting users synchronise these one-time codes to their Google account so they can still access their digital accounts without the app on hand. So, instead of being tied to the phone, the codes can be synchronised with their Google account.
If you have installed the app on your phone and also signed in to Google with it, then you will have the one-time codes automatically synchronised to your account for easy retrieval. Just update your Google Authenticator app.
This, according to Google, will make things more durable. “This change means users are better protected from lockout and that services can rely on users retaining access, increasing both convenience and security,” wrote Christiaan Brand, Google’s group product manager in a blog today.
The question, of course, is whether this actually makes it easier for a hacker to get into your other accounts, if they gain access to your Google account.
Trade-offs are usually needed between convenience and security, so more security-minded uses might want to opt out of this synchronisation and stay with their Google Authenticator app. Yes, seems like one point of failure but that’s also a smaller attack surface.
Plus, don’t forget there are still backup codes you should have saved when you first activated 2FA on your digital accounts.
Make sure these codes are printed out and kept in a safe place – that’s probably safer than having your codes stored digitally on the cloud, which faces cyberattacks daily.
Even LastPass, a trusted password manager service, was hacked after cyberattacks targeted one of its engineers’ PCs to gain access, reported Ars Technica last month.
Customer account secrets, application programming interface (API) Keys, and third-party integration information were among the data stolen. The attackers also accessed customer data vaults.