If your threat model includes a compromise of Google (or your Google account), sure. You should also probably use a hardware TOTP device in that case. For most people, this is a sufficient level of security. It’s always a trade off between convenience and safety.

Could also include other risks, like:

- Google is compelled by a warrant to share all your plaintext seeds

- Plaintext seeds are accidentally exposed to apis available to chrome extension developers

Or, maybe, that Google looks the other way while another entity uses your token.

With NSLs they can't tell anyone.

(removed my snarky comment about AI, was unnecessary)

Update: I re-read it. Seeems like the issue is that they found the content of the packets that were transported over TLS contained the TOTP seed in plain text.

Anyone tell me why this is worrying for the masses? Unless Google has promised to make this E2E encrypted.

They’re encrypted in transit, Google presumably encrypts everything at rest. So what’s the issue here? Practically every sensitive transaction on the web works this way.