Authenticator

Name: Security Analysis: Authenticator
Item: Authenticator
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 8M+ users

📦 v8.0.1

💾 2.87MiB

📅 2024-08-27

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Overview

Authenticator generates two-factor authentication (2FA) codes in your browser. Use it to add an extra layer of security to your online accounts.

Always keep a backup of your secrets in a safe location.

Encrypting your secrets is strongly recommended, especially if you are logged into a Google account.

Features:
- Add accounts by scanning QR codes
- Search your accounts by pressing "/"
- Translated into more than ten languages
- Encrypt your secrets with a password
- Backup your secrets to a file, Google Drive, Microsoft OneDrive, or Dropbox
- Sync your secrets with your Google Account
- Import data from Google Authenticator offical mobile App
- Open source

Supports:
TOTP
HOTP
Steam Guard
Blizzard Authenticator

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

v8.0.1 Info Scanned Mar 4, 2026

Security Analysis — Authenticator

Analyzed v8.0.1 · Mar 4, 2026 · 8 JS files · 1942 KB scanned

Permissions

Code Patterns Detected

External Connections

www.googleapis.com www.w3.org otp.ee graph.microsoft.com login.microsoftonline.com accounts.google.com www.google.com api.dropboxapi.com github.com content.dropboxapi.com authenticator.cc www.dropbox.com

Package Contents 96 files · 11MB

▾📁_locales741KB

▾📁ar18KB

{}messages.json18KB

▾📁bg19KB

{}messages.json19KB

▾📁bn23KB

{}messages.json23KB

▾📁ca16KB

{}messages.json16KB

▾📁cs15KB

{}messages.json15KB

▾📁da15KB

{}messages.json15KB

▾📁de16KB

{}messages.json16KB

▾📁el22KB

{}messages.json22KB

▾📁en15KB

{}messages.json15KB

▾📁es16KB

{}messages.json16KB

▾📁et15KB

{}messages.json15KB

▾📁fa19KB

{}messages.json19KB

▾📁fi15KB

{}messages.json15KB

▾📁fr16KB

{}messages.json16KB

▾📁fy15KB

{}messages.json15KB

▾📁he16KB

{}messages.json16KB

▾📁hi22KB

{}messages.json22KB

▾📁hr15KB

{}messages.json15KB

▾📁hu16KB

{}messages.json16KB

▾📁hy19KB

{}messages.json19KB

▾📁id15KB

{}messages.json15KB

▾📁it15KB

{}messages.json15KB

▾📁ja17KB

{}messages.json17KB

▾📁ka25KB

{}messages.json25KB

▾📁kaa16KB

{}messages.json16KB

▾📁ko16KB

{}messages.json16KB

▾📁lt16KB

{}messages.json16KB

▾📁lv16KB

{}messages.json16KB

▾📁nl15KB

{}messages.json15KB

▾📁no15KB

{}messages.json15KB

▾📁pl16KB

{}messages.json16KB

▾📁pt15KB

{}messages.json15KB

▾📁pt_BR15KB

{}messages.json15KB

▾📁ro16KB

{}messages.json16KB

▾📁ru20KB

{}messages.json20KB

▾📁sq17KB

{}messages.json17KB

▾📁sr17KB

{}messages.json17KB

▾📁sv15KB

{}messages.json15KB

▾📁th22KB

{}messages.json22KB

▾📁tr15KB

{}messages.json15KB

▾📁uk20KB

{}messages.json20KB

▾📁vi16KB

{}messages.json16KB

▾📁zh_CN14KB

{}messages.json14KB

▾📁zh_TW14KB

{}messages.json14KB

▾📁_metadata12KB

{}verified_contents.json12KB

▾📁css77KB

🔤DroidSansMono.woff27KB

🎨content.css436B

📄content.css.map213B

🎨import.css4KB

📄import.css.map1KB

🎨mocha.css5KB

📄mocha.css.map1KB

🎨permissions.css3KB

📄permissions.css.map833B

🎨popup.css43KB

📄popup.css.map10KB

▾📁dist10.2MB

📜argon.js46KB

📄argon.js.map83KB

📜background.js350KBlarge

📄background.js.LICENSE.txt1KB

📄background.js.map1.6MB

📜content.js216KBlarge

📄content.js.map588KB

📜import.js584KBlarge

📄import.js.LICENSE.txt2KB

📄import.js.map2.5MB

📜options.js72KBlarge

📄options.js.LICENSE.txt87B

📄options.js.map441KB

📜permissions.js94KBlarge

📄permissions.js.LICENSE.txt148B

📄permissions.js.map533KB

📜popup.js579KBlarge

📄popup.js.LICENSE.txt2KB

📄popup.js.map2.6MB

📜qrdebug.js1016B

📄qrdebug.js.map4KB

▾📁images41KB

🖼icon.svg2KB

🖼icon128.png3KB

🖼icon16.png729B

🖼icon19.png853B

🖼icon38.png1KB

🖼icon48.png2KB

🖼scan.gif31KB

▾📁view3KB

🌐argon.html138B

🌐import.html370B

🌐licenses.html1KB

🌐options.html169B

🌐permissions.html303B

🌐popup.html435B

🌐qrdebug.html278B

🌐test.html342B

📄LICENSE1KB

{}manifest-pwa.json156B

{}manifest.json2KB

{}schema.json2KB

What This Extension Does

Authenticator generates two-factor authentication codes in your browser, adding an extra layer of security to online accounts. It supports various protocols (TOTP, HOTP, Steam Guard, Blizzard Authenticator) and allows users to backup secrets securely. With over 8 million users, it's a popular extension for those seeking enhanced account protection.

Permissions Explained

activeTabexpected: Allows the extension to access the current webpage and interact with its content.
Technical: Grants access to the active tab's DOM, allowing the extension to inject scripts, read page content, and modify the UI. This permission is necessary for the extension to function correctly but poses a risk if exploited by malicious code.
storageexpected: Enables the extension to store data locally on your device, such as account secrets and settings.
Technical: Provides access to local storage, allowing the extension to save and retrieve sensitive information. This permission is necessary for the extension's core functionality but raises concerns if compromised by unauthorized parties.
identityexpected: Allows the extension to access your Google account credentials, enabling sync and backup features.
Technical: Grants access to your Google account identity, allowing the extension to authenticate with Google services. This permission is necessary for syncing secrets but poses a risk if exploited by malicious code.
alarmsexpected: Enables the extension to schedule and manage alarms, which are used for notifications and reminders.
Technical: Provides access to alarm management APIs, allowing the extension to create and manage scheduled events. This permission is not directly related to security but may be used for malicious purposes if exploited.
scriptingexpected: Allows the extension to execute scripts in the context of web pages, enabling features like code injection and UI modification.
Technical: Grants access to scripting APIs, allowing the extension to inject scripts into web pages. This permission is necessary for some features but poses a significant risk if exploited by malicious code. ⚠ 1
clipboardWriteexpected: Enables the extension to write data to your clipboard, which can be used for various purposes like copying codes or credentials.
Technical: Provides access to clipboard writing APIs, allowing the extension to copy and paste sensitive information. This permission is not directly related to security but may be used for malicious purposes if exploited.
contextMenusexpected: Allows the extension to create custom context menus, enabling users to access specific features and options.
Technical: Grants access to context menu management APIs, allowing the extension to create custom menus. This permission is necessary for some features but poses a risk if exploited by malicious code.

Your Data

Authenticator accesses various domains and services, including Google, Dropbox, Microsoft, and more. It stores sensitive information locally on your device and sends data to these external services for backup and sync purposes.

Technical Details

The extension makes XHR requests to the following domains: www.googleapis.com, www.w3.org, otp.ee, graph.microsoft.com, login.microsoftonline.com, accounts.google.com, www.google.com, api.dropboxapi.com, github.com, content.dropboxapi.com, authenticator.cc, and www.dropbox.com. It uses HTTPS for most requests but may expose sensitive information if compromised by unauthorized parties.

Code Findings

Dynamic Code Execution via Function ConstructorHigh

The extension uses the function constructor to execute dynamic code, which can lead to security vulnerabilities and potential exploits.

Technical: The extension uses the Function constructor to create new functions dynamically, allowing for code injection and execution. This pattern is commonly used in legitimate extensions but poses a significant risk if exploited by malicious code.

💡 Legitimate use: Creating dynamic functions for complex calculations or data processing.

Potential XSS Vector via innerHTML AssignmentMedium

The extension assigns innerHTML values to elements, which can lead to cross-site scripting (XSS) vulnerabilities if exploited by malicious code.

Technical: The extension uses the innerHTML property to assign values to elements, allowing for XSS attacks. This pattern is commonly used in legitimate extensions but poses a risk if exploited by unauthorized parties.

💡 Legitimate use: Dynamically updating page content with user-input data.

Obfuscation via String.fromCharCode and charCodeAtMedium

The extension uses obfuscation techniques to hide code, which can make it harder for users to understand the extension's behavior.

Technical: The extension uses String.fromCharCode and charCodeAt to encode and decode strings, making it difficult to read the code. This pattern is commonly used in legitimate extensions but poses a risk if exploited by malicious code.

💡 Legitimate use: Encoding sensitive information for storage or transmission.

Deprecated Obfuscation via unescapeMedium

The extension uses deprecated obfuscation techniques, which can lead to security vulnerabilities and potential exploits.

Technical: The extension uses the unescape function to decode strings, which is a deprecated method. This pattern poses a risk if exploited by malicious code.

💡 Legitimate use: None (deprecated).

Makes XHR Requests and Uses Fetch APIInfo

The extension makes HTTP requests to various domains, which is a normal behavior for extensions that require data exchange with external services.

Technical: The extension uses the XMLHttpRequest object and the Fetch API to make XHR requests to various domains. This pattern is commonly used in legitimate extensions and does not pose a significant risk.

💡 Legitimate use: Exchanging data with external services for backup, sync, or other purposes.

Uses postMessage for Cross-Origin CommsMedium

The extension uses the postMessage API to communicate with web pages from different origins, which can lead to security vulnerabilities and potential exploits.

Technical: The extension uses the postMessage API to send messages between web pages from different origins. This pattern is commonly used in legitimate extensions but poses a risk if exploited by malicious code.

💡 Legitimate use: Communicating with web pages for authentication or other purposes.

Sets up Event ListenersInfo

The extension sets up event listeners to respond to user interactions, which is a normal behavior for extensions that require user input.

Technical: The extension uses the addEventListener method to set up event listeners for various events. This pattern is commonly used in legitimate extensions and does not pose a significant risk.

💡 Legitimate use: Responding to user interactions, such as button clicks or keyboard input.

Bottom Line

Authenticator is a popular extension that provides two-factor authentication codes in your browser. While it has some security concerns related to dynamic code execution and potential XSS vectors, these issues can be mitigated by following best practices for coding and testing. Users should exercise caution when granting permissions and regularly review the extension's behavior to ensure it aligns with their expectations.