Can Google's administrators be trusted with Google Authenticator?

Question

Suppose there is an evil Google administrator who has full access to every server or network at Google. Will such a person be able to abuse the Google Authenticator technology to gain access to non-Google services which uses the Google Authenticator technology for access?

In other words: Suppose I setup Google Authenticator for website-A of company-A which is not hosting any Google services. However I choose to use the Google Authenticator authorization mechanism to "improve" my security. Will mr. Google Administrator (who supposedly has the ability to monitor all communications via the Google Authenticator and/or can manipulate the tokens/keys of the service to his advantage) have same sort of way to get access to my account at website-A?

Answer 1

Could someone with unfettered access to Google's systems and malicious intent compromise non-Google accounts via Google Authenticator alone? No.

Could they compromise non-Google accounts via several other Google services which someone using Google authenticator is likely to also use? Probably.

Firstly, Google authenticator is used to implement multi-factor authentication. The whole point of this is that if one method of authentication is compromised then the other authentication method should prevent the attacker from gaining access. Furthermore these authentication methods are typically designed to be isolated, so someone who is able to compromise something you know (eg. a password) should not also be able to compromise something you have (eg. a physical device) at the same time. Even if Google authenticator was compromised an attacker would not necessarily also have the password.

Secondly, Google authenticator implements TOTP. The secret is communicated only between the service requiring authentication and your device, so unless Google is the service then there is no need for the secret to be communicated to Google.

Now of course the assumption that the secret won't be communicated to Google is dependent upon the integrity of the client. It is possible that the App you have installed has been compromised to capture the secret and send it to the attacker. Google Authenticator is open source, therefore you could theoretically verify that the code does what it should then compile it yourself. In reality if an attacker has the ability to arbitrarily compromise software on your device then they could probably compromise any form of 2FA involving the device (for example SMS) and Google Authenticator would not pose an additional risk.

Aside from this, if someone at Google wanted to attack you there are probably more effective avenues which don't involve Google Authenticator. For example given that the Play Store on an Android device is signed by the same certificate as the system it can access permissions to install software without your explicit permission. If you used gmail they could also most likely access non-Google accounts by resetting passwords.

TLDR; An attacker with unlimited access to Google's systems would almost certainly be a threat to non-Google accounts, but not because of Authenticator.