Google recentlyadded a long-requested feature to its Authenticator app: the ability to back up 2FA codes to the cloud. The new feature syncs 2FA tokens across your devices via your Google account, addressing a major inconvenience in the app’s previous implementation oftwo-factor authentication. However, shortly after the rollout, a team of security researchers warned against enabling cloud backup in the app, saying it’s not end-to-end encrypted. According to a product manager at Google, this will be fixed down the line.

Security researchers at software company Mysk discovered the lack of E2EE support in Authenticator’s cloud backup after looking into the network traffic while the app was syncing the 2FA codes. This means that the data stored in the app, such as your 2FA codes, can be accessed by bad actors or Google itself. Mysk added that there is no option to protect the secrets — industry jargon for credentials — with a passcode to limit access to the user alone.

It’s no secret that any system that stores sensitive data in the cloud poses some security risks. An attacker who gains access to a user’s Google account may be able to access their 2FA credentials and use them to hijack other accounts belonging to the user.

For the time being, security researchers advise users not to enable the ability to sync 2FA codes across devices and the cloud. After all, the app will continue to function even if your 2FA tokens are not synced.

Meanwhile, Christiaan Brand, a product manager at Google, acknowledged in a tweet the app’s lack of E2EE. He noted that “E2EE is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery.”

Cloud-based 2FA solves a longtime annoyance for Authenticator users by allowing their codes to be stored in the cloud using their Google account. This means that even if they lose their device or upgrade to a new phone, they can still access their 2FA tokens using a backup device.

Eventually, Brand assured the public that E2EE would be added to Authenticator in the future (viaMishaal Rahman). At the moment, Google is rolling out optional E2E encryption to some of its services.

In the meantime, if you are concerned about the security of your 2FA codes, you can use any of thetop 2FA appsthat offer end-to-end encryption, including Authy and Bitwarden.