Google Authenticator

Google Authenticator is not free of criticism and omissions. For example, the demand for a function that allows secret seeds to be synchronized for other devices has become louder and louder. However, Google has neglected to include E2E encryption in the process. This is now to be retrofitted.

Plain language in encryption

When people speak plain language, something is said in an understandable and open manner. If an encryption speaks plain language in the transmitted sense, this can be a security vulnerability.

The secret seeds that Google Authenticator uses to calculate the code for second factor of 2FA encryption were previously transmitted in plain text.

The problem: In theory, the plaintext allows the multi-factor authentication to be undermined and the data to be tapped by middlemen. This only requires access to the corresponding network. This is a welcome invitation for attackers to try to hack into the network.

This makes two-factor authentication via Google Authenticator more dangerous than before. Google itself could also easily access the data in its own network, since it is available as plain text. It is unlikely that Google itself will tamper with this data, but who knows where you will find black sheep everywhere who sense an opportunity to enrich themselves at the expense of others.

Google itself has become directly aware of the problem and has reacted to it. In a statement, it promised that the security of the users always comes first and that the responsibility for the data is taken very seriously. Therefore, they are already thinking about ways to ensure the protection of user data again. Right at the forefront is end-to-end encryption, or E2E encryption. However, Google still sees some disadvantages for its users and therefore does not want to rush into anything.

E2E at Google products

End-to-end encryption is a popular system when handling sensitive data. It offers additional protection against attacks and unauthorized access to data. However, Google itself has been a bit reluctant to apply this method to its services so far.

This is because users would no longer be able to access their data without a recovery, or would be locked out of their own data. This would close the security gap, but the users themselves would then also be excluded. Of course, one wants to prevent such a thing.

However, Google has already started to equip individual products with an option for E2E encryption. The Google Authenticator is not yet among them, but it will follow in the future. However, it is not clear when exactly this will be the case. Google considers E2E encryption to be a very strong and useful function, but does not seem to want to integrate it directly into all products and applications. The Google Authenticator is apparently not at the top of the list of priorities, but will eventually get its turn.

In any case, it should not be the case that end-to-end encryption becomes mandatory for Google’s products. It is to remain optional so that users can manage their backup strategies themselves if they wish. So far, however, the option is not yet available and the security gap remains open.

Therefore, for example, heise Security – who were among the first to report this problem – advises against using Google Authenticator for the time being. Instead, users should prefer to switch to an alternative temporarily. At least until E2E encryption is also available in Google Authenticator.


The Google Authenticator is currently struggling with a security vulnerability due to the missing E2E encryption. This means that the protection of one’s own data is no longer guaranteed. So, for now, it is recommended to use another form of multi-factor authentication. It is not known how long this situation will continue. Google is aware of the problem and has already announced steps to restore security for its users’ data. Until then, it is advisable to use another form of multi-factor authentication. For example, the Authenticator from Reiner SCT, which offers maximum security and has no security gaps.