OKX sent me an email today, about the risk of using Google 2FA with cloud sync feature. That it is very risky because it is not end-to-end encrypted.
Security risk notice: Google Authenticator's cloud sync feature
We'd like to inform you of a potential security risk for Google Authenticator users. Google Authenticator's cloud sync feature is not end-to-end encrypted, and poses a high security risk if you use it to secure your OKX account.
Here's what you need to know about this security risk:
- Google Authenticator stores your private keys used to generate one-time codes every 30 seconds, and is used for two-factor authentication
- When the cloud sync feature is turned on, Google backs up your private keys without encrypting them behind an additional passphrase
- This means that a malicious attack on your Google account will not only leave your passwords vulnerable, but your private key too. This allows hackers to log in to all your accounts with two-factor verification, including your OKX account.
We strongly recommend turning off the cloud sync feature and keeping the private key on your device, or switching to authenticator apps that encrypt your private key when storing it on the cloud.
At OKX, our top priority is the safety of your account and funds. For any further questions or concerns, please reach out to customer support for help.
Regards,
OKX Team
I will not advice you to just turn off the syncing feature on Google authenticator, it is better you go and activate another 2FA codes on your different exchanges and wherever you are using 2FA. Do not use Google authenticator again. There are better 2FA apps.
Those are better authenticators. I will suggest Aegis for Android and Tofu for iOS.