One of the most effective ways to stop your online accounts from being hacked is to turn on two-factor authentication. The security measure, often known as 2FA or multifactor authentication, requires you to enter a numerical code in addition to your username and password. So even if someone gets your password, they can’t break into your account without having your sign-in code too.
For years, security experts have recommended using authentication apps to generate these codes. All you have to do is scan a QR code for the service you want to turn 2FA on for, and the app will generate a new log-in code around every 30 seconds. This week, Google has given its 2FA app, Google Authenticator, a much-needed overhaul.
Google redesigned Authenticator, making it less clunky, and in the process added one potentially handy new tool: the ability to sync your sign-in codes to your Google account and to different phones and tablets. This essentially means your Instagram, Gmail, or Reddit 2FA codes—plus, all the other accounts you have it turned on for—will be backed up. The tweak makes it far less burdensome to switch devices if your phone with 2FA codes stored on it is lost or stolen—and it can even save you from being locked out of some accounts entirely.
“Since one-time codes in Authenticator were only stored on a single device, a loss of that device meant that users lost their ability to sign in to any service on which they’d set up 2FA using Authenticator,” Christiaan Brand, a group product manager at Google, wrote in a blog post announcing the change. Brand says the sync feature has been one of the most requested since the Authenticator app was released in 2010. “This change means users are better protected from lockout and that services can rely on users retaining access, increasing both convenience and security.”
Syncing your Google Authenticator codes now happens through your Google account—the feature is available on the latest iOS and Android versions of Google’s app. Authenticator gives you the option to use the app with your Google login, and if you select this option, your Google profile will show in the top right corner of the app, next to a sync icon. When I downloaded Authenticator on my iPad after setting up sync on my phone, the codes appeared once I had logged in. There is also the option to keep using Google Authenticator without logging in to a Google account.
Jake Moore, global security advisor at security firm ESET, says he has previously been locked out of an authenticator app and knows the frustrations that come with trying to log back in to all your accounts when you don’t have access to your sign-in codes. “Upgrading a phone has been made easier over the years with cloud storage, but authenticating apps have been slow to the party and held back reservedly on security,” Moore says.
Google isn’t the only firm offering 2FA sign-in codes to provide backups. Since 2019, Microsoft has allowed people to use a “backup and restore” tool for its Microsoft Authenticator app. Other third-party apps, such as Authy, also sync across people’s devices. (Apple’s all-in-one password manager allows you to generate and store sign-in codes on iPhones and Macs but doesn’t have a stand-alone app.)
While Google’s Brand paints 2FA code backups as a win for users, Moore says there are always tradeoffs when balancing user security and convenience. Sure, backed-up codes might make it easier to gain access to your accounts if your phone is lost or stolen. But the more places your codes are stored, the greater the risk that a bad actor can access them.
For instance, if someone gains access to your Google account, they may also be able to access your 2FA codes for your other online accounts. Google spokesperson Kimberly Samra says “that risk is much smaller than that you lose your device, no longer have your OTPs, and then the service has to use a much weaker mechanism for allowing you to log in.”
Tommy Mysk, an app developer and security researcher who runs the software company Mysk, has tested multiple 2FA apps and found rogue apps available to download. Mysk says that there are security and privacy limitations to the major 2FA apps. For example, Microsoft’s sync doesn’t work between iOS and Android devices, making it harder to switch operating systems and take your 2FA codes with you.
In terms of data the apps collect, Mysk says Google’s Authenticator performs “very well” and doesn’t share details of QR codes with Google. “Most apps, including Microsoft Authenticator, send behavioral analytics—that is, how users use the apps and where they tap,” Mysk says. “Google Authenticator doesn’t send this sort of data.”
Despite adding more convenience, it doesn’t appear that either Google or Microsoft’s authentication apps back up people’s 2FA sign-in codes using end-to-end encryption when they are synced. The encryption method ensures the companies can’t see the contents of your sign-in codes. “Since 2FA apps deal with secrets, the only secure way to sync data across devices is by using end-to-end encryption,” Mysk says. “The app developer should not be able to read the content of the data.”