After a 13-year-long wait, Google Authenticator has added a 2FA account-sync feature that allows its users to back up their 2FA code sequences into the cloud, after which they can restore them back into a new device.
Though the process in which a user uploads their 2FA secrets is encrypted, researchers at Naked Security by Sophos and iOS developers at Mysk reported that a user’s 2FA details were “unencrypted inside Google’s HTTPS network packets.” Furthermore, there is no option in which a user can encrypt their upload using a passphrase prior to it leaving their device.
