Google Authenticator 的備份功能不是 E2EE (end-to-end encryption)

前幾天提到了 Google Authenticator 總算是支援備份功能了：「Google Authenticator 支援備份到 Google Account 的功能」，當初操作的時候沒看到自訂密碼之類的功能，就有在猜應該不是 E2EE，直接攔傳輸內容也被證實沒有 E2EE 了，TOTP 的 secret token 都是直接傳輸的：「PSA: Google Authenticator’s Cloud-Synced 2FA Codes Aren’t End-to-End Encrypted」。

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.

TL;DR: Don’t turn it on.

The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.… pic.twitter.com/a8hhelupZR

— Mysk 🇨🇦🇩🇪 (@mysk_co) April 26, 2023

Google 的發言人回應 CNET 的詢問時只說會有計畫做，但沒有給更細的資料：

To ensure that we’re offering a full set of options for users, we have also begun rolling out optional E2EE in some of our products, and we plan to offer E2EE for Google Authenticator in the future.

在意的人就還是先不要開…

Read More