The very recent oopsie whoopsie by Google has got to be one of the very worst ever:
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
[...]
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
I'm a coder who has worn a lot of hats, from individual contributor to lead engineer to "CTO" (yes, in quotes, make of that what you will!). I've plenty to learn and hopefully some to share as well.
Wow, welp, I was interested in using this feature but if it's not encrypted on-device with my own keys, then no thanks, I'll just continue keeping a pile of recovery codes in my safe deposit box.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
The very recent oopsie whoopsie by Google has got to be one of the very worst ever:
Source: twitter.com/mysk_co/status/1651021...
Google has since announced that they have plans to offer proper encryption "down the line" 🤠
Source: twitter.com/christiaanbrand/status...
Wow, welp, I was interested in using this feature but if it's not encrypted on-device with my own keys, then no thanks, I'll just continue keeping a pile of recovery codes in my safe deposit box.