Google Launches Passbox Authenticator on GitHub, Boosting 2FA Options

Google’s Passbox Authenticator repository on GitHub contains a full reverse‑engineered specification of the undocumented gRPC service that powers Google Authenticator’s cloud‑sync feature, according to the project’s README on the GitHub page [GitHub – poloputoamo/google-passbox]. The repository documents the service endpoint (passbox‑pa.googleapis.com:443), the protocol (gRPC over HTTP/2 with TLS), and the protobuf‑encoded method signatures that the Android app uses to list, create, update, and delete OTP credentials. By decompiling the Authenticator APK with JADX and capturing live traffic, the author reconstructed the service’s protobuf schema, which is not shipped by Google in any public .proto files.

Access to Passbox is gated by a highly restricted OAuth scope (https://www.googleapis.com/auth/passbox.credential) that Google reserves for first‑party applications. The README explains that standard OAuth consent flows will never grant this scope, and the only viable path is to mimic the Authenticator app’s token‑exchange sequence via Google’s EmbeddedSetup page [GitHub – poloputoamo/google-passbox]. The process involves retrieving an oauth_token cookie from https://accounts.google.com/EmbeddedSetup, exchanging it for a master token at https://android.clients.google.com/auth, and then swapping the master token for a Passbox bearer token using the Authenticator’s package name (com.google.android.apps.authenticator2) and signing certificate SHA‑1 (38918a453d07199354f8b19af05ec6562ced5788). The final token (a ya29.* string) is supplied as a Bearer header in subsequent gRPC calls, together with mandatory Android‑specific headers (x‑android‑package, x‑android‑cert, and user‑agent).

The repository enumerates the complete set of RPC methods exposed by PassboxExternalService, including ListCredentials, GetCredential, CreateCredential, UpdateCredential, DeleteCredential, BatchUpdateCredentials, BatchDeleteCredentials, GetCredentialCount, and CheckExistCredential. Each method operates on resource names that follow a strict hierarchy: internalservices/GOOGLE_AUTHENTICATOR/owneridnamespaces/GOOGLE_USER_ID/ownerids/{numericGoogleUserId} for the user namespace, and …/externalservices/{issuer}/credentials/{uuid} for individual OTP entries. The numeric Google user ID is extracted from the master token response (accountId), linking the gRPC calls to a specific Google account. The README also provides example request payloads and response structures decoded from live traffic, confirming that the service returns protobuf‑encoded OTP seeds and metadata rather than a simple JSON payload.

From a security perspective, the public exposure of Passbox’s API surface raises several concerns. Because the OAuth scope is intended for internal use, any third‑party client that can replicate the token‑exchange flow could potentially read or modify a user’s synced OTPs, effectively bypassing the two‑factor protection that Authenticator provides. The repository’s step‑by‑step guide demonstrates that the barrier is not cryptographic but procedural: an attacker who can obtain a valid oauth_token cookie—perhaps via a compromised browser session—can acquire a master token and then a Passbox token without additional user interaction. Moreover, the gRPC service does not appear to enforce device‑binding beyond the package name and certificate hash, meaning that a malicious app signed with the same certificate could impersonate the official Authenticator.

Google has not publicly commented on the Passbox release, and the service remains undocumented in any official developer portal. Nonetheless, the GitHub project provides a functional client library that can be used to experiment with the API, and the detailed token‑exchange workflow offers a reproducible path for security researchers to audit the sync mechanism. By publishing the reverse‑engineered documentation, the author has effectively opened the door for independent analysis of Google’s cloud‑sync architecture, a move that could pressure Google to either formalize the API with proper access controls or deprecate the undocumented service altogether.