Google’s Authenticator app recently received an update intended to sync the secret seeds that generate one-time passwords; however, the data was retained in plain text within a TLS-encrypted connection, resulting in criticism from IT security circles. The solution to this issue was supposedly included in an update released for Google Authenticator, but it did not deliver the promised device encryption of secret seeds.
Although the change log for version 6.0 of the app includes a note stating that device encryption was added for storing secret values, it remains unclear what is being encrypted and when. As of now, the seeds can be found in the TLS-encrypted connection as unencrypted plain text.
As a result, experts recommend relying on other authenticator apps such as Authy, which can back up and sync secret seeds while protecting them with a master password known only to the user. Google has not yet responded to a request for more information on the update and whether or not it delivers the promised end-to-end encryption.
