The Google Authenticator controversy
I'm getting a bunch of queries about the controversy regarding lack of
end-to-end encryption in the new Google Authenticator cloud syncing
feature. Google's response to this so far has unfortunately been
brief and does not explain the situation in a manner that most people
are likely to understand.
Within a few days I plan to write this issue up in a manner that most
people *will* understand, and that's going to take some time.
For now I'll say this. Using the cloud sync feature in Authenticator is
reasonably safe, but does have problematic aspects in its current form.
When it popped up in Authenticator for me a couple of days ago, I chose
not to enable it by not logging Authenticator into a Google account, mainly
because I have my own backup procedures for these codes -- but most people
frankly do not.
On balance, right at this moment, I would not recommend using this cloud
sync Authenticator feature -- and I will explain in more detail in a more
complete message. I will note however that Google is trying to do the
right thing in providing a backup mechanism for these codes -- something
that has long been needed in Authenticator. However, there is genuine risk
in the current implementation, though in practice it most likely is quite
small for most people.
I'll try to explain this in more detail soon. Best, -L
- - -
--Lauren--
Lauren Weinstein
[email protected] (https://www.vortex.com/lauren)
Lauren's Blog: https://lauren.vortex.com
Twitter: https://twitter.com/laurenweinstein
Mastodon: https://mastodon.laurenweinstein.org/@lauren
T2: https://t2.social/laurenweinstein
Founder: Network Neutrality Squad: https://www.nnsquad.org
PRIVACY Forum: https://www.vortex.com/privacy-info
Co-Founder: People For Internet Responsibility
Tel: +1 (818) 225-2800
_______________________________________________
pfir mailing list
https://lists.pfir.org/mailman/listinfo/pfir
