Original link: https://www.williamlong.info/archives/7153.html
On April 24th, according to the Google Security Blog , Google updated the Google Authenticator, a two-step authentication program that supports Android and iOS, allowing users to back up the one-time password generated by the program to the Google account to prevent the phone from being stolen. In the event of loss or loss, it is no longer possible to log in to websites or services based on Google Authenticator.
Google launched Google Authenticator in 2010, which can be installed on Android or iOS mobile phones. When users visit services or websites that support Google Authenticator, these programs/websites can calculate and require users to enter a 6-8-digit one-time password , as a second-stage authentication factor in addition to the usual password, Google Authenticator on the device calculates and displays the password for the user to enter to verify identity.
In the past, these one-time passwords were only stored in Google Authenticator on the user’s device, so if the device was lost or stolen, it was difficult for the user to log in to related services.
This week’s update is to allow users to store these one-time passwords in their Google account for use on all devices that log in to their Google account, such as Google Authenticator 6.0 for Android or Google Authenticator 4.0 for iOS. A new feature. Users only need to log in the Google account in Google Authenticator, and the one-time password will be automatically backed up in the Google account.
Google Authenticator (Authenticator) is a time-based one-time password (Time-based One-time Password) launched by Google. You only need to install the APP on your mobile phone to generate a one-time password that changes with time. for account verification. Google Authenticator is a very popular authentication app with over 100 million downloads.
After the Google Authenticator cloud sync feature was released, a security researcher from Mysk tweeted that data was not end-to-end encrypted when uploaded to Google servers. The researchers analyzed the network traffic during APP synchronization and found that the traffic was not end-to-end encrypted. That is to say, Google can see the synchronized information. It is currently not implemented that only the uploading user will be able to access this information.
End-to-end encryption (E2EE) is when data is encrypted before it is transmitted and stored on another device using a password known only to the user (owner). Because the data is encrypted, it cannot be accessed by others. However, Google Authenticator does not provide end-to-end encryption, and data stored on Google servers may be accessed by other unauthorized users, such as data leakage.
Google then sent a statement to CNET that read:
End-to-end encryption (E2EE) is a powerful feature that provides additional protection, but at the cost of users being unable to recover their own data after turning it on.
We will provide corresponding options according to user needs in the future to provide E2EE support for Google Authenticator.
Friendly reminder: Please pay attention to backup before updating. After I updated the new version of Google Authenticator, I logged in to my Google account. After logging in, I found that all the local authenticators disappeared, and I couldn’t find them. In the end, I had to restore each local one by one. validator.
This article is transferred from: https://www.williamlong.info/archives/7153.html
This site is only for collection, and the copyright belongs to the original author.