That quick response is indicative that E2EE might have been on the roadmap already. It's a bunch of trade-offs:
- Keep things as they are
- Avoid TOTP data getting lost with lost passwords
- Avoid TOTP data getting distributed when the Google-side backup ends up becoming public
Maybe this might have been a suitable situation for a "beta" label, though: "We have this, it offers advantages, it has caveats, if you don't care about them, feel free to sign up, otherwise wait until we sorted it out."
(Disclosure: work at Google, but no insight into what Authenticator is doing)
- Keep things as they are
- Avoid TOTP data getting lost with lost passwords
- Avoid TOTP data getting distributed when the Google-side backup ends up becoming public
Maybe this might have been a suitable situation for a "beta" label, though: "We have this, it offers advantages, it has caveats, if you don't care about them, feel free to sign up, otherwise wait until we sorted it out."
(Disclosure: work at Google, but no insight into what Authenticator is doing)