[HN Gopher] Google Authenticator now supports Google Account syn... ___________________________________________________________________ Google Authenticator now supports Google Account synchronization Author : ortusdux Score : 262 points Date : 2023-04-24 17:11 UTC (5 hours ago) (HTM) web link (security.googleblog.com) (TXT) w3m dump (security.googleblog.com) | kramerger wrote: | Pro tip: Aegis works offline and can export and import to file. | fabian2k wrote: | Ahem, I think making it much easier to transfer and backup 2FA | codes is extremely important to make this area more useable. But | I'm missing some parts here in this announcement how the data is | protected? Is the security the same as for the Google Account | itself, or are there additional checks or protection for the case | where you need to restore 2FA to another phone? | | And how are you supposed to handle the 2FA for your Google | account? I mean I have U2F tokens which remove that concern, but | that is far from the typical case. If you have the 2FA for your | Google account in the Google Authenticator, which is probably a | very common case, how does this entire thing work then when you | need it, which is when you lose your phone? | justeleblanc wrote: | > And how are you supposed to handle the 2FA for your Google | account? I mean I have U2F tokens which remove that concern, | but that is far from the typical case. If you have the 2FA for | your Google account in the Google Authenticator, which is | probably a very common case, how does this entire thing work | then when you need it, which is when you lose your phone? | | You open your safe and you use one of the recovery codes that | you wrote down when you setup 2FA. | howinteresting wrote: | You have to meet people where they're at. | tasuki wrote: | Do you and people you know have a safe? Where I'm from, we | generally don't use safes. | | Do you consider your safe to be... safe? I'd imagine it to be | relatively easy to get into, by picking the lock or sawing | through the safe. | maxfurman wrote: | A safe is extremely safe against hackers on the other side | of the world. Quite safe against more local threats without | special equipment and time on their hands. | | Security is relative to your threat model! | tedivm wrote: | Most decent safes are not trivial to pick, often using | circular keys instead of the flat ones requiring a | different type of pick. Newer safes don't even have | keyholes but require that you actually know the | combination. | | As for drilling or sawing through it, that's going to take | _hours_ to do. | JohnFen wrote: | > As for drilling or sawing through it, that's going to | take hours to do. | | This is true for expensive commercial safes, but not for | home safes. You can drill/saw through them relatively | quickly. What you can't do is drill/saw through them | without making a whole lot of noise. | wintogreen74 wrote: | or a little water damage, or a fire lasting more than 30 | minutes. | justeleblanc wrote: | > Do you and people you know have a safe? | | Yes. I'm not taking about a safe like you can see in the | movies. Just a locked box. | | > Where I'm from, we generally don't use safes. | | That's on you. | | > Do you consider your safe to be... safe? I'd imagine it | to be relatively easy to get into, by picking the lock or | sawing through the safe. | | That's not the point. 2FA is about thwarting password | leaks. If someone has physical access to my house _and_ | knows my passwords, I 'm screwed, yes. | | But since I don't live in a Jason Bourne movie, my threat | model isn't a ninja who steals my passwords then comes into | my house to hack my tiktok account. My threat model is | breaking my phone and knowing that my backup passwords are | in a minimally safe place where I expect them to be and | weren't carelessly thrown away with old documents; and | deter casual "attackers" like a niece who could be inclined | to plunder my papers for coloring material. | | And if I did live in a Jason Bourne movie, I'd expect the | ninja to just beat me up when I get home and unlock my safe | for him, assuming I had bought an unbreakable safe. | mardifoufs wrote: | So 2FA is just for the tiny, tiny minority with a safe? | What... Am I missing an obvious joke here? | JohnFen wrote: | > > Where I'm from, we generally don't use safes. | | > That's on you. | | Wait, are we expected to have to buy safes to use the | internet now? | xp84 wrote: | I mean, you should have a safe for a million reasons. | Mine was bought from Groupon for $50 and wouldn't even | keep out a determined teen if they didn't mind the | intrusion being detected. | | It just gives you a single location in your house which | you know nobody could accidentally open up and misplace | the contents. It's where our passports and other | foundational government documents, ATM cards, and yes, | 2FA materials go. When you keep that kind of stuff in | say, a desk or nightstand drawer, it's vulnerable to the | 'oh crap, we cleaned out that drawer' attack, where you | or your family members toss that stuff inadvertently. | | Try a safe, it's great. | JohnFen wrote: | Nah, I'm good. I have all the benefits you cite without | having to bother with a safe. | | I was just reacting to the somewhat bizarre idea that | owning a safe is something we should be expecting people | to do for their online stuff. | cooperadymas wrote: | > And if I did live in a Jason Bourne movie, I'd expect | the ninja to just beat me up when I get home and unlock | my safe for him, assuming I had bought an unbreakable | safe. | | Here I was thinking you might blow him up with the | toaster. Or crash him into a garbage truck after an | extenuated car chase. | TeMPOraL wrote: | We live in the era of smart toasters. You'll need to use | your 2FA tool before you can blow someone up with it, | which kind of defeats the point when chased by a ninja | that's after your 2FA tool. | jacobsenscott wrote: | Just keep the backup codes in your wallet - most people | protect their wallets pretty well. | ndsipa_pomu wrote: | I'd recommend obfuscating the codes in the event that you | lose your wallet. You don't want a bad actor to find it | and realise they can gain control of your account though | they'd need to figure out your email first. | darkvertex wrote: | You can also buy a few cheap RFID stickers that can be | overwritten from your phone. The cheapest stores like a | kilobyte or so, which is plenty for quite a few codes. | | You can glue them in inconspicuous "boring" places in | plain sight, like under a mousepad or behind a movie | poster hung on the wall. | | Great way to hide secrets in your home without owning a | traditional safe (which just screams "steal me! I'm the | valuable thing in the room!" anyway.) | blendergeek wrote: | The main purpose of a home "safe" is fire protection. If my | house burns down, the contents of my safe should be fine. | Obviously a sufficiently motivated adversary can get in. | But that (usually) isn't something I am worried about. Most | internet hackers do not physically break into houses and | open safes. | [deleted] | organsnyder wrote: | Yeah, we actually keep the key in the lock in ours. If | someone gets in and really wants to steal it (note to | potential thieves: there isn't anything worth your | while), they could just carry the whole safe with them. | It's only for preserving important documents in case of | fire. | kbenson wrote: | Many safes allow for securing to the floor, making | porting it away require a bit more effort, possibly | including power tools which are quite loud. Also they're | quite heavy usually. | | I remember as a child someone broke into our house while | we were away to steal stuff. The safe wasn't bolted down, | and they carried it from one end of the house to the | other before giving up, either because they got spooked | by something and bolted or because it was just too damn | heavy. | | Think about the logistics of it. If they're stealing a | safe, that probably requires a vehicle. A vehicle is more | identifiable and unless stolen makes it easier to track | people if noticed or recorded. If stolen, there's a | chance it will cause a problem immediately before, during | or after the crime. If they don't use a vehicle, all the | benefits of not using one, such as being able to take | non-road paths and blend into crowds are negated. And if | they choose to crack the safe on location, that adds time | to the crime while doing so, and all time spent at the | location of the crime increases the chance they'll be | caught because someone notes something suspicious. | | Like a lock on a house a safe within a house serves it's | purpose not by making it impossible to gain access but by | making it much more troublesome and likely to be noticed, | changing the risk to reward ratio. | wintogreen74 wrote: | Th "protection" from home safes is a joke: typically | 30-60 minutes at temperatures less than the heat | generated by a house fire. | lapetitejort wrote: | The house next door to me caught fire. By the time I saw | the flames from my window and ran out the door, the fire | truck was already preparing to douse the flames. Yes, I | am lucky to live in an area with fast responses; no, not | everyone is so lucky, yadda yadda yadda. But safes help. | So do fire extinguishers. Get one for every floor in your | house. | NavinF wrote: | 30-60 minutes is a very long time, do fire departments | normally take that long to start dumping water on the | house? Some site says "NFPA Standard 1710 establishes a | 320 second or 5 minutes and 20 seconds 'response time' | goal for not less than 90% of these type incidents." | cyberbanjo wrote: | Relatively easy? Relative to what? | saltcured wrote: | Relative to a naively imagined abstraction of a safe, | perhaps. | | A decent home safe can be reasonable protection against | that loose scrap of paper with backup codes ending up in | the trash can and may even keep it legible in the event | of a house fire. But it is true, it won't be much help if | you are targeted by safe crackers. | jaggederest wrote: | Relative to the wrench attack, I guess: | https://xkcd.com/538/ | kingcharles wrote: | My entire storage building just burned to the ground with | my safe in it, all my paper codes, my laptop with all my | auth on it. | | Luckily by sheer fluke my phone was saved which has my TOTP | apps on it or I would never get into anything again. | ISL wrote: | Why did the safe fail to protect the paper -- too hot, | too long? | djbusby wrote: | "The what in where?" says typical user. | bakugo wrote: | Any user that didn't pay attention when they were loudly | and clearly told "SAVE THESE CODES OR YOU MAY LOSE YOUR | ACCOUNT" probably doesn't actually care about their account | that much. | wintogreen74 wrote: | Uhm, really? Company punts on how to actually secure it | by saying "store in a safe place" so now it's all on the | user? Aren't we back to writing your long, complex PW on | a post-it note then, with the extra step of "lock up your | post it!"? | bakugo wrote: | > Company punts on how to actually secure it by saying | "store in a safe place" so now it's all on the user? | | Yes, it's on the user, who else would be responsible for | that? A Google employee isn't gonna go to your house to | install a safe for you so you can store it securely. You | can argue all day that the average person often can't be | trusted with these things but I fail to see how this is | anyone's problem except their own, at some point we need | to stop treating adults like babies that need their hands | held through everything and let them learn that their | decisions have consequences. | | 99% of people don't need that kind of security any way, | just keep a piece of paper with the codes somewhere | hidden that you can remember, you don't need to have | access to them all the time unlike a normal password. | xp84 wrote: | I much prefer this approach (and can take responsibility | because I feel perfectly empowered to make as many copies | and backups of my recovery keys as I need to make it | effectively impossible for me to ever be locked out), but | this whole thing points to how giving people the security | they claim they want is at odds with their convenience at | every touchpoint. I have repeatedly refused a family | member's request to set a front door access code that is | any family member's birthdate, a very common habit | because _that 's the kind of thing people want to use._ | | I continue to believe that security for nontechnical | users is not a solved problem. WebAuthN or whatever may | someday help solve this puzzle, but only if someone | packages it in a way that is so frictionless that it's | _easier_ than just using your birthday and initials as | your password for every account like my dad did. And if | the recovery story for the "All my electronic devices | fell into a lake" situation is something less exploitable | than the pathetic SMS. I'm thinking notarized letter as | someone else pointed out. | shadowgovt wrote: | > at some point we need to stop treating adults like | babies that need their hands held through everything and | let them learn that their decisions have consequences. | | Never underestimate the _massive_ market advantage gained | from treating adults like babies and handling all manner | of frustrations for them. | | UX researchers would call that "A good user experience." | TeMPOraL wrote: | Or maybe, when they're first setting this up, excited | about the new thing in their life that is their first | smartphone or something, they don't realize yet that | couple years down the line, half the things in their life | will be gated by the Google account login form. | | When first set up, the Google account really _isn 't | something to care about_. It only over time, and you | getting used to all the conveniences it offers, that it | slowly but surely becomes important. | booi wrote: | Can you just reset my password to P@ssword2023! | ndsipa_pomu wrote: | No, it can't be a previous password | dexterdog wrote: | It was P@ssword2022! previously | qup wrote: | It must contain a bizarre character that you would | normally never use in a password. | TeMPOraL wrote: | > _You open your safe and you use one of the recovery codes | that you wrote down when you setup 2FA._ | | HN rarely does humor, but when it does, it _really cuts | deep_. | | Can you really expect a typical person - including the tech- | savvy ones - to keep a hastily written piece of paper for _a | decade_ or more, without losing it? My code card is clocking | on a decade, I needed it only once (so far), and it 's only | pure luck that, in all those years, I haven't accidentally | destroyed it or thrown it away. | | Also: it only recently became apparent just how bad it is to | lose access to your Google account. Most tech-savvy people I | know don't even realize how many things in their lives are | gated by that little login form. Non-tech-savvy folks? Maybe | they'll figure it out in a decade, after enough people became | thrust into poverty for the lack of Google 2FA recovery codes | - enough many that it's as boring news story as car | accidents. | JohnFen wrote: | > Can you really expect a typical person - including the | tech-savvy ones - to keep a hastily written piece of paper | for a decade or more, without losing it? | | Personally, I keep these in my password manager. My | password manager is offline-only, and the database is | regularly backed up, so this makes sense for me. | kmeisthax wrote: | What you're describing already happened. When Google turned | on 2FA for everyone, every librarian in the country was | inundated by homeless people and old people who had just | been summarily evicted from the Internet. | skybrian wrote: | Where do you keep your passport, if you have one? Your | birth certificate? Any other important papers you have? | | No, it's not reasonable to expect everyone to be well | organized. Life can be chaotic. People lose stuff. We know | this. Some people are so unfortunate as to lose _all_ their | stuff. Repeatedly. The level of organization people have | varies extremely. | | But I do expect there are hundreds of millions of typical | people with houses and sufficient organization to hang onto | to their important papers, and it's a good idea to add your | backup codes to your other important papers. It's good | advice, though not always applicable. | crummy wrote: | > Where do you keep your passport | | Honestly, losing my passport probably wouldn't be as big | a deal as losing access to my Google account. | jpalomaki wrote: | This is why I don't like when people outright dismiss SMS | as suitable second factor. Yes, it has problems, but it | also has a recovery mechanism that is accessible for | "ordinary peope". | | The best solution (for me) would be to connect the Google | Account to my government issued identity and utilize the | strong authentication provided by government for account | recovery. | xp84 wrote: | > SMS as suitable second factor | | It could be suitable, within certain boundaries _, but | no, given that sim swapping just means bribing (or simply | social engineering with a crude fake ID) a minimum wage | worker at a mall store, anyone whose identity is worth | more than $50 to steal should never even consider it. | | _ For example, if it could only be initiated from a | browser where you have successfully signed in on at least | two different days, or from a residential IP where you | were seen recently. | | I would much rather see a mailed postcard, as the last- | resort fallback to a TOTP. Better to be locked out of | your account for 4 days waiting for the mail, than to be | locked out of it indefinitely while the criminal has full | access. | | > my government issued identity and utilize the strong | authentication provided by government for account | recovery. | | Yes, that seems so obvious and yet to my American ears it | sounds almost like science fiction. People here | unironically argue that a national ID card is the Mark of | the Beast from the Bible. | WorldMaker wrote: | I've been joking about a need for "notary factor" for a | long time. There's an existing, deep and distributed | network of notaries public that could be reused for | stronger authentication in the modern world. In classic | banking if you had a recovery problem you could send | certain types of notarized letters to get stuff done. It | was slow: however long it took to prepare the letter, | find a notary public to get it notarized, and then | presumably snail mail it to its destination. But | sometimes _slow_ is better: if someone is trying to steal | my account, if they need to get the right forms notarized | and mailed to the right PO Box, there are many steps | along the way where I can intercede or a notary public | can interject ( "I won't notarize this because my ethics | do not allow it.") or presumably human recipient at a PO | Box can reject the mail for any number of violations or | failures of documentation. | | I think it would be great if the recovery mechanism for | "ordinary people" took about the same amount of time as a | notarized letter. In that worst case where you are locked | out of your account for a week or two it won't feel | great, but it also helps you feel better that some jerk | trying to steal your stuff can't do it any faster either. | | There are all kinds of fun technical things that could be | used to actually build interesting "notary factor" tools. | I think tech companies mostly reject how cool it could be | to build because they see "slow" as a "bug" rather than a | "feature". | l33tman wrote: | Can't you recover your google account by SMS, even if you | have GA turned on? | dahwolf wrote: | I do quite a lot of tech support for older people and would | add that forgetting passwords isn't the only issue, an even | larger issue is people not understanding passwords at a | conceptual level. | | Try as I might, my mother doesn't understand the difference | between an iPad device PIN, an Apple ID (rarely needed), | her email password on this same device (Google-based in | this case) and add a few dozen more. | | All she knows is the device in her hand. The abstract model | we have where we separate device, service, app, web page, | different companies...simply does not exist for her, it | does not compute. So even if she'd have the discipline to | write down things, it would still not work. She doesn't | even grasp what part is asking for what. | | There's a reason big consumer services like Google and | Facebook have not enforced 2FA: a vast population will | severely struggle understanding what the hell it is and | what to do. | | Even when you do enable 2FA on Google yourself, it runs in | "soft mode". It doesn't ask for 2FA for previously trusted | devices/locations. Surely for good reasons. | charcircuit wrote: | I believe the idea is that for as long as you still have 1 | device signed in you can recover it by using one of the codes. | ocrow wrote: | Yep. Also missing from the announcement are any instructions on | what people need to do to use the feature. | xattt wrote: | Nor the follow-up necessary should your account happen to be | randomly blocked. | kevincox wrote: | > To try the new Authenticator with Google Account | synchronization, simply update the app and follow the | prompts. | nixcraft wrote: | Here they have support page | https://support.google.com/accounts/answer/1066447 | vb6sp6 wrote: | [dead] | jbverschoor wrote: | Post by "Group Product Manager". It's a pretty useless post. | Could've been 2 sentences. | | From the support page: | | > If you're signed in to their Google Account within Google | Authenticator, your codes will automatically be backed up and | restored on any new device you use. | | Still doesn't explain how it works. On the same page they're | talking about synchronization: | | > Google Authenticator 6.0 on Android and 4.0 on iOS introduces | the option to keep all your verification codes synchronized | across all your devices, simply by signing into your Google | Account. | | I don't understand why "people" think it's a good idea to hide | any form of mental model or technicalities. | | Provide people with a mental model. It will make it easier to | understand all the Ws. People are not stupid. They will | understand, as long as you can describe it properly. | exabrial wrote: | Is this the same way Google Podcasts works, where I "have to" | have "web, location, and usage history tracking" enabled to | subscribe to a podcast? lol | glintik wrote: | OMG, aftet so many years Google was able to hear users! Before | this update I had to use two phones synching them manually. | dirtyid wrote: | [flagged] | gigatexal wrote: | If any PMs at Google are reading this for this product please, | please, please, for the love of god let me export my Google | Authenticator TOTPs back and forth from other managers like | Bitwarden or 1password etc. I know it's against your interest but | it's in the interest of the end user.[1] | | [1] yes I know there are github projects that make this doable | but it's super involved whereas it doesn't need to be. | crossroadsguy wrote: | Quite interesting to see that Google Accounts, known for locking | users out i.e AI auto-banning without recourse, might become a | major gatekeeper of other accounts as well. | xp84 wrote: | Indeed. I find it extra concerning because their "risk based" | system which can simply decide you're locked out -- even when | you know your login! -- just because it doesn't recognize your | IP or cookies, offers no guaranteed from-scratch recovery | unless you have set up the glaring security hole that is SMS. I | have an extra throwaway Google account (thankfully for nothing | important) whose password I never forgot, but which I simply | cannot log into ever again because I didn't set up any 2FA or | recovery email, and Google just decided it didn't like the look | of me one time. | roopakv wrote: | I remember pushing for this when i was at Google ~5 years ago. I | wasn't on the team but I wrote 2 proposals, one to do QR code | export and imports and another to sync codes using the google | backup framework. | | Neither was approved nor denied, just in limbo. But nice to see | that both features have finally shipped. Sadly I have switched | away to 1P, too much effort to move it all back. | briffle wrote: | > Sadly I have switched away to 1P, too much effort to move it | all back. | | It seems like a very, very bad thing to store both your | passwords, and TOTP codes in the same tool... | bdcravens wrote: | I agree, and I'm a huge 1Password fan. | | I use Authy instead, which also backs up TOTPs. | | I'm also having the same thoughts about Google Auth: my email | (Gmail) is a big target for gaining access to the rest of my | digital life, and putting 2FA in the same hands seems risky. | I'd need to do more evaluation to consider leaving Authy. | psanford wrote: | The main point of TOTP is that users passwords are mostly | weak and reused across sites. TOTP protects those users from | password stuffing and similar attacks. | | If you are using a strong random password generated from 1PW | you've already mitigated against that threat. TOTP isn't | buying you much additional security. So for most folks it is | just fine to store you TOTP seed in 1PW. | | Unlike TOTP, passkeys _do_ buy you additional security in | their phishing resistance. So you should always prefer | passkeys/fido2 keys to TOTP if that is an option. Its still | fine for most users to use 1PW as your passkey storage. | Takennickname wrote: | It literally protects you from key loggers. Isn't that | important? | psanford wrote: | In practice, no. Key loggers are a minuscule threat to | account security compared to weak passwords and password | reuse. | | But lets say you are in fact a user that gets targeted by | an adversary capable of deploying a key logger against | you. Does TOTP protect you? No! If you are compromised to | that point, the attacker is also in a position to just | hijack your sessions. | | There isn't a threat model out there that is trying to | solve the problem of "my end user device has been | compromised but I still want to be able to use it to | access sensitive systems without those systems being | compromised." | hirsin wrote: | Token binding was the closest we had - still lets a | compromised endpoint in the right position steal and use | the tokens from that device, but it's at least not | persistent. | Takennickname wrote: | True | tasuki wrote: | > If you are using a strong random password generated from | 1PW you've already mitigated against that threat. TOTP | isn't buying you much additional security. | | Why isn't TOTP buying much additional security? | | It seems to me that apart from password reuse it's | mitigating many other potential problems: keyloggers | leaking passwords from your device, passwords leaking from | the authenticating server, etc. | xyzzy_plugh wrote: | Furthermore the risk exposure to using TOTO in 1pw is | almost insignificant. You can configure your 1password | account to require 2FA when setting up new devices, and | unlike Google here the decryption requires manual knowledge | not shared with the cloud. | | The only argument I can imagine is that if someone gets | ahold of your phone it's either locked and they can unlock | it or it's unlocked, in which case either your 1pw account | and/or other TOTP apps are either locked or unlocked. In | the worst case scenario where everything is unlocked, | having a separate app is negligible. | | Besides, AFAIK Google Authenticator doesn't require | additional unlock steps, unlike authy or 1password. | | You're better off worrying about how to avoid TOTP and | securing 1password than about having TOTP codes stored | alongside your passwords. | roopakv wrote: | Very true, however as others have pointed out it all comes | down to levels of security. | | There are many non important accounts where I have 2FA, and | both the password and the TOTP is in 1p. This should suffice | for any brute force password attacks. However there are some | accounts (like google) which one can consider more important | for which I keep the TOTP on a separate app like Authy. | | More recently I've been switching to yubikeys where possible. | r00fus wrote: | As a former Google Auth user, who bungled my own phone | migration a few years ago - yeah, defense in depth is better | but at the time, I was furious there was no way to recover my | Google Auth and I had to go to every single service and reset | my 2FA. | | Storing both on 1Pass is not as secure, but the option is | that once in a while you misstep and spend a week restoring | TOTP setup (or lose entire accounts because your service | provider has no functional customer support) then I'm | amenable to stable but less secure options. | nighthawk454 wrote: | Eh, it's still better than not having it. Which is likely the | bar for a lot of casual users. Mostly the goal is to prevent | password reuse I think, which comes down to convenience. And | unless 1pass gets hacked (which could happen! see: LastPass) | it's relatively secure for that purpose. | unethical_ban wrote: | I'm more concerned about the one tool being cloud-based than | anything. | | I keep my 2fa backup codes in my Keepass safe. Where else | will I keep them? | ClassyJacket wrote: | I would've even been happy if they didn't block you from | screenshotting the QR export code. This has caused me so much | pain over the years but nope, they refuse to change it. | | This basically means you can never factory reset your phone | without someone else using their phone to help you, which means | you're forced to share your entire account and all your codes | with a third party who might keep them forever. | | You also can't preemptively back it up in case your phone is | stolen or lost. | | But nope, Google thinks they know best and in 2023 they still | actively block you from keeping your accounts safe. It's mad. | Gareth321 wrote: | Years ago I got FUCKED when I used Authenticator and bought a | new phone. I just assumed everything would be backed up to | iCloud, like everything else. I lost access to accounts which | were almost impossible to retrieve. Millions of people have | been screwed thus, turning people away from 2FA. I can't | believe it has taken this long to enable sync. | elbigbad wrote: | Yep, I've been using Authy for years because of this. Before | that, I would have a second phone with GAuthenticator on it | and when I scanned the QR code to set up a new account, I | would do it with both phones simultaneously to make sure I | had a backup. It always struck me as absolutely ridiculous. | [deleted] | pkaye wrote: | Why couldn't you use your old phone to get access and switch | over? | nness wrote: | If you damage your Android screen it is basically useless | unless you have pre-emptively set up some kind of remote | access process... | | Twice I've had to spend hours manually resetting/renabling | my 2FA after a phone was damaged, and sans buying a new | screen just to get a backup of the phone, there aren't many | other options. | | (Similarly, this was the time I learnt that the UK gov does | not issue backup codes for their 2FA and you just have to | spend 45 mins on hold to have them reset it for you.) | TeMPOraL wrote: | Exactly this. I bought my current phone after I dropped | my previous one and cracked its screen. I was only able | to recover access to critical services because I have | previously set up some Tasker automation connected to my | Pebble watch, which enabled me to navigate the phone "in | the dark" enough to turn on AirDroid, allowing me to | screen-mirror the phone to the PC. Of course, all the 2FA | tools have this stupid idea of blacking the screen when | it's being mirrored - but fortunately, I was able to turn | on USB debugging this way, at which point I plugged the | phone in and used scrcpy to show a fat middle finger to | Google and plain recover everything from Authenticator. | dcchambers wrote: | Now imagine trying to explain this to anyone outside of | the tech industry. I imagine only a small percentage of | software engineers and IT folks in general would be able | to accomplish what you did. How easy it is to | accidentally fuck yourself over with app-based 2FA is one | reason I've been hesitant to recommend it to my non tech | savvy friends and family. While SMS 2FA is a lot less | secure, it's at least pretty much idiot-proof. | teaearlgraycold wrote: | You can get the database out of the phone. It requires adb | and root, though. | allday wrote: | Our onboarding docs specifically tell employees to NOT use | Google Authenticator precisely because of this issue. I have | no idea how Google let this fester for so long, literally if | even one (1) person over there was using it and got a new | phone, they should have known about the issue. | nanidin wrote: | The app has supported bulk QR code export and import for | years. This makes it easy to transfer to a new phone, and | relatively easy to make physical backups. | bobbylarrybobby wrote: | Right, just like I can carry a thumb drive around with my | files and manually sync between every computer I use. Or | just use Dropbox... | hirsin wrote: | Which only worked if you had both phones working at the | same time... I'd bet a sizable portion of new phone | enablements are due to losing the previous phone | irrevocably. | nanidin wrote: | The QR code encodes the actual secret data for the TOTP, | so backing up the QR code is sufficient. | | Screenshot -> Print is one backup method. | | Screenshot -> Encrypt -> Save to secure location is | another method. | spear wrote: | You'd save the QR code at the time you first used it on | the old phone, and not wait for when you needed to | transfer it. | | For me, I'd usually be on the desktop when setting up 2FA | anyway, so I'd just save the QR code from the desktop | browser ("Save image as ..."). When I needed to set up a | new phone, I'd open the saved image on the desktop and | point my phone at the screen. | ClassyJacket wrote: | Nope, you can't screenshot the page, so you can't save | the code and can't send it to another phone. This means | you can never trade in a phone for a new one and if your | phone is lost or stolen you're locked out of all your | accounts forever. | | They actively added code to prevent you taking | screenshots, which is insane but true. | nanidin wrote: | I'm on iOS and I'm able to screenshot the QR code with | version 3.4.0 of the app. Maybe the screenshot lockdown | is limited to Android? | | In any case, if you're trying to create a backup there | are other avenues of capturing the QR code - offline | digital camera is probably the most secure way of doing | so. | WheatMillington wrote: | What if I drop my phone into the lake and need a new | phone? | nanidin wrote: | Well, hopefully you created a backup by storing a copy of | the QR code somewhere :) | unethical_ban wrote: | Interesting - but not good enough. For the threat model | TOTP solves, it is not absurd to want Authy-like | functionality where codes can be backed up, encrypted, to | a cloud service OR like Authone (?) which allows you to | export the data to a file. | apocalyptic0n3 wrote: | Yeah, same with my company. "DO NOT USE GOOGLE | AUTHENTICATOR" is littered throughout our Intranet and | onboarding docs in bold letters with recommendations for | different options. And people still use it and lose their | codes all the time. | | Now it's tied to the Google Account which means it'll be | tied to either their personal or work account and now we | have to worry about personal account bans removing their | 2FA or when they leave the company, our suspension process | killing personal 2FA that were synced via the wrong | account. | et-al wrote: | fwiw, Google Authenticator starting with 3.1.0 started | supporting exports via QR code. | nonfamous wrote: | Yeah, but only as a means of transferring them to another | device. Sure, you could abort the flow before the existing | codes were deleted, but it was far from ideal. | | I'm glad there's finally real support for backing up codes. | mgbmtl wrote: | Hmm no, I use this from time to time, and it really is just | a way to copy the codes to another device. It won't delete | them from the original device. It notifies the device owner | after a few minutes that the TOTP have been exported, and | it keeps a log of exports. | | I'm in the process of moving to Aegis. It's FOSS, encrypts | the file on the device, and supports the biometric lock. It | can do a daily backup to a few sources, including the | Google backup (I think) and personally I dump it to a | folder that my Nexcloud will automatically upload to my | personal server. | ClassyJacket wrote: | It doesn't delete them from the existing device. However, | it exports them via qr code, which it prevents you from | screenshotting, meaning you can never factory reset your | phone or protect yourself from theft or loss. You can only | transfer to another phone when you have both devices | working at the same time. | wildpeaks wrote: | Does the export invalidate the existing device after export ? | it sounded like it's only for moving to a different device | rather than having two at the same time. | wiredfool wrote: | Not on iOS within the last year or so. | neves wrote: | QR code export is an old feature. I have an Android emulator in | my desktop justo to have backup of my codes. | adrr wrote: | That was worst thing about google Authenticator was migrating | to another device and amount of support my IT team had to deal | with people upgrading phones. I can't believe how long it took | for an export feature. | admn2 wrote: | Yeah, I switched away from Google for this reason. Pretty | wild to think of the implications of losing your phone and | having no backup. Even switching phones required resettings | all your codes. Authy is a mess, but at least had this | functionality when they were still actively worked on. | princevegeta89 wrote: | All you need is the OTP secret. I have all of mine stored in | my bitwarden. I can plug and play them in any supporting app | to keep generating the 2fa codes. | justeleblanc wrote: | Nice to see it catching up. It feels like competitors (MS | authenticator, 1P, the iOS thing...) have had it for ages. | bilal4hmed wrote: | I have started using Aegis on android which is fantastic. Backup | and restore anywhere. | | My advice would be to not have everything in one place, no matter | which ecosystem you are on. Going all in is never a good idea | whether its Google or Apple. Its great that Google has done this, | but just use another app to manage that. | mmh0000 wrote: | If you're on Android, you should checkout FreeOTP+[1], a far | better OTP client. | | FreeOTP Plus forked the same functionality of FreeOTP provided by | RedHat with the following enhancement: | | * Export settings to Google Drive or other document providers | | * Import settings from Google Drive or other document providers | | * Enhanced UI with material design with dark theme support | | * Search bar to search token | | * Provide more token details for better interoperatibility with | other apps | | * Utilize modern camera hardware to scan QR code faster | | * Option to require Biometric / PIN authentication to launch the | app | | * Heuristic based offline icon for tokens of 250+ websites. | | * More settings to customize the app functionality | | [1] | https://f-droid.org/en/packages/org.liberty.android.freeotpp... | nashashmi wrote: | I recommend http://totp.app for Android. You can even set the | app as default on Android. | moogly wrote: | Or Aegis Authenticator. It is basically a perfect app IMO. | tacker2000 wrote: | To be honest i wouldnt trust google with any accounts anymore. If | you somehow get your account locked or banned, for whatever | reason, youre screwed forever. | 0xbadcafebee wrote: | I'm also on 1Password. No idea why I would use Google | Authenticator. "Hey we have Google Password Manager" - that's | great, so I can be locked into your platform while you take | another 13 years to implement a basic feature? No thanks? I'd | rather pay a company that cares about my experience, thanks. | explodingwaffle wrote: | While we're complaining about Google's 2FA offering... | | The issue described here started happening to me recently: | https://www.googlenestcommunity.com/t5/Apps-Account/Why-is-G... | | Summary- Google has added a "match the numbers in the app" style | 2FA to YouTube. Makes sense- their video monopoly means that for | many iOS users like myself it's the only Google app they've got. | Except... | | 1) It's the default, and there's no apparent way to change it, or | even turn it off. This is annoying- I prefer TOTP since it's more | secure. There's a Google Prompts section in the 2FA settings, but | it says that I don't have any supported devices. This actually | makes sense, because | | 2) It doesn't f*king work! Ever since they changed it from "press | yes" to "match number", the screen opens in the YouTube app and | then loads forever. Which means I've got a spurious notification | on my phone, a screen to dismiss next time I open the YouTube app | (or several, because for some reason they can stack), and two | extra clicks every time I log into Google on a new device. | | Actually, I lied earlier- there is one way to disable it, and | it's to DISABLE ALL 2FA, as you can see people doing in that | support thread. I honestly don't blame them, but clearly less 2FA | was not the plan of whoever's idea this was. Speaking of support | forums- I don't think anyone at Google reads them, but they do | read HN :)))) | hyperdimension wrote: | Wow, that link is such a great example of Google's "support." | | "This channel is for troubleshooting Google devices. It is best | to report this with YouTube support for better assistance. | [...] I'll be locking this thread after 24 hours." | | ...just because the initial report contained the keyword | 'YouTube', presumably. The reporter clarified the situation, | and a different "support" team member comes in and regurgitates | the same canned response! On Google's side, why even bother | replying at all if that's all you're going to do? | 0xbadcafebee wrote: | > On Google's side, why even bother replying at all if that's | all you're going to do? | | Oh, it's just so they can claim to their advertisers that | they do support. | | Remember: if you're not paying for the product, you _are_ the | product! | (https://en.wikipedia.org/wiki/Television_Delivers_People) | devnullbrain wrote: | >Remember: if you're not paying for the product, you are | the product! | | This cliche isn't true: if you pay, you're a more valuable | mark. You're always a product. | dontblink wrote: | Just an FYI here: Google's community support forums aren't | well named as their intended purpose is for users to answer | other user's questions. For the community to support each | other. | | For actual support you need a paid account to reach out to. | | You could argue that it's badly named and should just be | called Google's community forum instead, which is what it | really is. | hyperdimension wrote: | That's pretty funny and makes sense. I guess I shouldn't | have expected anything more from Google. Thanks for the | clarification. | lasr_velocirptr wrote: | One of the potential solutions might be to just treat youtube | as a separate service i.e. create a separate account for | YouTube with 2fa disabled. | | It's not ideal since you need to deal with two accounts but | that's what password managers are for. | NavinF wrote: | Never encountered that. Is this because I got lucky in an A/B | test or because I have Advanced Protection turned on and only | use FIDO keys? | getpost wrote: | A certain webhost requires me to Authenticator for 2FA, and I did | so. I also configured my iPhone to delete unused apps. | Authenticator was unused, and got deleted, so naturally, I had to | open a support ticket with the webhost to remove 2FA to regain | access to my webhost account. I hope this feature will maintain | my setup if the app gets deleted. | murat124 wrote: | Why did it take so long? 2FA has been around for quite some time | now. Was there a push back at Google? Or, just neglect? | sylware wrote: | ... and noscript/basic (x)html browsers ? | | mmmmh.... | tzs wrote: | Note that there are two kinds of backups possible for TOTP | secrets: | | 1. Backups that are specific to the app that made them. They can | be used to restore the secrets to that same app on a new or | replacement device, but might not help if you want to migrate to | a different app. | | 2. Backups that can be restored to other apps. | | If you aren't sure you are going to stick with the same TOTP app | long term this could be important. | | Sometimes there are third party tools that can take #1 type | backups and give you back the secrets in a form suitable for | other apps. | | For example, Google Authenticator can export the secrets in the | form of a QR code that contains the secrets for multiple account. | Another instance of Google Authenticator can read that, but other | TOTP apps might not be able to. But this tool [1] knows how to | take the information in that QR code and decode it and split it | into the individual secrets for each site. It can even generate | QR codes of those for scanning into another TOTP app. | | If you want #2 type backups that just work with most TOTP apps, | there is a fairly easy way to get them. Whenever you set up a new | account and a site gives you a QR code, simply take a screenshot | before using that QR code to finish setting up the new account. | | Store your collection of QR code screenshots somewhere safe. | | If you ever want to migrate to a new TOTP app or to the same app | on a new device open those saved screenshots and scan the codes. | | If you've got an image display program that will let you open | many at once restoring can be pretty fast. On my Mac for example | I just do "open *.png" in the place I have the screenshots. That | opens them all in Preview, with each one being a separate page. | Then I tell preview to show one page at a time. | | Then it is a matter of scanning one, hitting "page down" on the | keyboard, and repeating until they are done. After two or three | I'm in the groove and it goes pretty fast. | | [1] https://github.com/dim13/otpauth | TacticalCoder wrote: | > backups possible for TOTP secrets: > > 1. Backups that are | specific to the app that made them | | I never thought about that. I always backup the key _before_ I | first use it, when it 's shown for the very first time. Heck, | I've written a CLI / text TOTP app (using some Java TOTP | library) for my own use (fully offline / airgapped / paasword | protected / showing six codes at once for the same code [+1 | hour / now / -1 hour and previous code / current code / next | code] and which also shows a public/commonly used example code, | which is convenient to diagnose sync/clock issues). | | > But this tool [1] knows how to take the information in that | QR code and decode it and split it into the individual secrets | for each site. | | Like JBSW Y3DP EHPK 3PXP ? | | In my experience every site that shows the QR code offers the | possibility to see that secret (and those that don't are | misleading users into thinking it's more complicated than it | is). | | A TOTP secret is just that: 16 or 24 or whatever characters. | The QR is just an encoding of these characters. The "issuer" | serves no role other than autofill the name of the service for | you (and you're not forced to use the issued nameL you can use | any name you want). | | I never _ever_ scanned a QR code to configure 2FA / TOTP for | any site. I write the 2FA code down, then encode what I've | written down (in at least two devices). | ajonit wrote: | If Google ever decides to kick you out of your account, | Authenticator data will be gone. Google has done this on several | occasions in the past. | | I would still prefer independent app for password manager and | another for TOTP with backup enabled for all. | nikeee wrote: | Does that mean one can use adb to backup Google Authenticator's | data as well? Last time I tried, the app data was explicitly | marked as excluded in backups. I started saving the secrets | somewhere else because otherwise, I wouldn't be able to have | _any_ backup. | flippinburgers wrote: | There are alternatives like aegis. People should just turn their | backs on google auth all together. | hammyhavoc wrote: | Too little too late. Moved to BitWarden with a VaultWarden | server. | amaccuish wrote: | Such a bizarre app. Instead of implementing push notifications in | the "Google Authenticator" app, Google decided to add the logic | to all other apps like YouTube. Before we introduced Okta, our | users would get notifications like "Open the YouTube app on your | phone to approve this login". | | Whilst clever for the people who don't have Google Authenticator | installed, it's just bizarre to ignore it when it's there. | [deleted] | ellm wrote: | Google's preference of their weird, bespoke authenticator over | TOTP is also very annoying to anyone who would rather not. (it | is required to add any additional authenticators, and the | default authenticator) | joshuamorton wrote: | It's more secure though. | | TOTP are still phishable, the push notification includes | information on where you're logging in from, so you at least | have a chance to notice that the login is coming from Croatia | and not your house. | | FIDO is still vastly better though. | mgbmtl wrote: | With Google Authenticator, there is no notification, is | there? As a user, you have to open your phone, open the | app, then scroll to the right code, and copy/paste it. (The | lack of search in one of the reasons that made me switch to | Aegis) | | I always thought Okta was kind of weird, because it's just | a notification that says "allow/deny" and it's easy to | click the wrong one. | joshuamorton wrote: | It's possible I'm confused by GP, but there's two things | being discussed here I think: | | First, Google Authenticator, which is in fact just totp | which can be used for both Google 1p and any 3p TOTP | thing. And second Google's push-notification based auth | checks which are used for only certain 1P Google apps | (like logging into your gmail or youtube). | Lammy wrote: | They also once bizarrely replaced the | `com.google.android.apps.authenticator` package with the new | (and still used) `com.google.android.apps.authenticator2`, | making everyone set up their accounts all over again or forgo | updates: https://www.androidpolice.com/2012/03/22/psa-googles- | authent... | | The old one has its name changed to "(old)": | https://play.google.com/store/apps/details?id=com.google.and... | fullstop wrote: | Too late, Google, I already switched to Yubikey. I kind of like | that my TOTP keys are a separate entity from my phone. | stronglikedan wrote: | Yup, I'd rather pay Bitwarden a nominal fee and be able to | authenticate everywhere, than deal with the incredible amount | of unnecessary friction google has imposed since forever. Never | going back. | bombolo wrote: | If only that was more broadly supported. | fullstop wrote: | Where is it missing support? | | edit: I want to reiterate that these are still TOTP codes and | not WebAuth/FIDO2. | bombolo wrote: | Oh I thought you meant those usb devices that need to be | set up, like google titan and similar. | fullstop wrote: | Ah, no, these can connect to a PC over USB and to a smart | phone over USB or NFC to generate a 6 digit TOTP code, | just like Google Authenticator does. | | They can also do more sophisticated things, but that's | not what I was referring to here. Those sophisticated and | more secure things are supported by Google, Facebook, | Dropbox, Github, etc, but not by most banks. Banks are so | slow with this stuff and still do SMS-based 2FA which is | absurd to me. | throw7 wrote: | Storing it in the google cloud doesn't satisfy me. I just simply | want the codes under my control. The current authenticator did | finally allow export to qr code, but google still makes it | stupendously difficult to just get a simple text export to a | file. | | It's not been a problem for me though as I've just always saved | the otpauth code from the start. | kobalsky wrote: | I save the qrcodes in an encrypted folder than I can quickly | import into a yubikey with: for i in *.png; | do uri=`zbarimg -q --raw "$i"` && ykman oath accounts uri | --touch --password "MYYUBIPASS" "$uri"; done | ianopolous wrote: | How about they support the algorithm parameter in the TOTP spec, | rather than silently ignoring it and hard-coding hmacSha1? | mullingitover wrote: | Google's authenticator has been outright harmful in how neglected | it has been, especially when it comes to backing up your codes | outside the app. This should be a very full-featured and well- | maintained application considering how essential it is for | security. | | For years I've been telling anyone who'd listen to use Authy | instead. | tonymet wrote: | Good move . for too long usability suffered . | | most of these security protocols fail to scale . what happens | when you have 30 tokens and you get a new device ? | | many vendors are still requiring a phone call. | | security without usability is just cosplay | izacus wrote: | If anyone is looking for good alternatives on Android - Aegis and | Authenticator Pro are both good opensource apps, available on | F-Droid/Play and also allow easy backup to a cloud (or storage) | of choice. | amiga-workbench wrote: | Thumbs up for Aegis, I've been using it for years and the | backup & import/export has saved my ass several times now. | exoji2e wrote: | If you are concerned with lockout and want offline, interoperable | backups of your 2auth codes I strongly recommend Raivo. It can't | import from google authenticator directly, but it's possible to | extract the secrets with some docker script, and then enter them | manually into Raivo. | ec109685 wrote: | I've been using Authy because it supports syncing to the cloud | (encrypted with a key that you control). | | Glad Google finally has this. | manv1 wrote: | Years ago I updated authenticator and it wiped out all my | entries, which led to an incredibly aggravating week of account | recovery. | | What happens to your data when google decides to lock your google | account? Does your device keep a local copy or will it just shut | down? | heliophobicdude wrote: | I recently had a broken phone replaced and had depended on a | backup to have my TOTP keys on my new phone. It was not a part of | the phone backup. :( | svachalek wrote: | Same. Someone needs to make all this both secure and usable. | For now, I'll even take "this is going to ruin your day but at | least there's a standard and consistent way to deal with this" | as usable, maybe we don't want anything easier than that for | security reasons. | xyzzy_plugh wrote: | Too little too late. Everyone I know has moved to 1password or | authy or yubikeys (or some combination). | | I'll never understand why they didn't do this many years ago. | ClassyJacket wrote: | Yep, way too late to keep me on it. I don't trust them anymore. | You cannot just burn your users over and over and expect them | to stay forever. | obarthelemy wrote: | I'm not really in favor of putting 2FA codes in the Cloud, see | that password manager that got hacked a few months ago. Granted, | we can expect better from Google, but still, they're not | accepting any liability. | | Google Authenticator already has a QR-Code based very easy export | procedure, I just backup my GAuth to my spare phone and tablet. | It feels safer because it's physical. | | Of course, not everyone has several devices, and physical | security is not granted to everyone. I guess cloud-backedup 2FA | is better than no 2FA, or than 2FA with no backup at all. But... | Cloud ? for security stuff ? | notfed wrote: | I think rest assured your backups will be encrypted-by- | password. | | Though, I often find myself wondering if this represents going | in circles with security. If the security surface of all of | your 2FA keys now reduce to one measly password, well, wait a | second, does protecting everything with two passwords count as | 2FA? | obarthelemy wrote: | "encrypted by password" doesn't mean much by itself: is the | whole security chain open source ? audited by a third party ? | as well as any changes ? Secured by the provider accepting | responsibility for breaches and their consequences ? ... | | Employees down to subcontractor's trainees can modify the | code or pwd store... FYI, the industry standard for "risk of | corruption" is: 3 months of wages. In low-pay countries, this | means, literally, pocket change. How sure are you that | whatever Google does is impervious to such insider bad | actors, even if at a specific time their setup was indeed | secure ? | ris wrote: | This. For me a TOTP app/tool will only ever output codes. If it | offers to let me do anything else with the key, it's a no-go. | bombolo wrote: | So what do you do when your phone falls down and breaks? | obarthelemy wrote: | I take my previous phone out of its drawer. Or my tablet. | bombolo wrote: | Very funny. But how do you login into things without the | otp seed? | obarthelemy wrote: | It's standalone 2FA, not a paswword manager. There's no | seed. | leo150 wrote: | It's interesting to see some movement in this area. Is Google | finally feeling some competition? I was looking for this feature | years ago and had to switch to Authy and then to 1P. I'm | wondering how many users did GA loose for not adding this basic | functionality for years. | eastbound wrote: | It would be awesome if Google were innovating again. That was a | good company on the good days. | ikiris wrote: | So I'm curious what happened for them to do a complete 180 in | belief as to the security implications of syncing tokens off the | phone? | | Did the holdouts on the relevant team not make it through the | layoff rounds or something? | PenguinRevolver wrote: | And it only took them 12 years to do it. Authy had already | implemented syncing to different devices for a long while. | psanford wrote: | TOTP seed migrations are a real pain. Its good to see Google | offering a solution to that problem. | | I've moved to using the pass otp extension[0] which gives me | secure storage of the totp seeds without being tied to a single | device. | | [0]: https://github.com/tadfisher/pass-otp | RileyJames wrote: | Tangential complaint on google account sign ins. | | If I remove an account from an app / device, I expect it to be | gone. But they clearly shadow it. | | I have three google accounts (work, work and personal). And when | I log into my personal account, which I have removed from the | gmail app. It still uses that app as it's "2FA", and then | reactivates the account. | | 1) if I remove the account, actually do it!!! | | 2) if I'm not logged into any apps, then use a 2FA method I DO | have active (google auth app) | sgloutnikov wrote: | If you are on the Apple ecosystem, I highly recommend OTP Auth | [0]. Very friendly UI with encrypted cloud backup where you | control the key. | | [0] https://cooperrs.de/otpauth.html | Kiro wrote: | > To try the new Authenticator with Google Account | synchronization, simply update the app and follow the prompts. | | Not seeing anything new on Android and it's fully updated. | elif wrote: | so... the new feature is you can turn your 2FA into a 1FA google | login... | | if you think this is a good idea, i highly recommend you add a | second 2FA device to the account you're worried about instead | of... centralizing your "have" factor into a "know" factor. | camhart wrote: | Another request -- let me archive them (instead of only delete). | xp84 wrote: | True, or be able to keep them in folders. Imagine trying to | manage your TOTPs if you, say, are a freelancer who does work | for 25 different clients. | divan wrote: | Regular reminder for Apple users that iOS/MacOS has support for | TOTP codes out of the box. It fills the code like an | autocomplete. | | https://support.apple.com/en-gb/guide/iphone/ipha6173c19f/io... | tough wrote: | So are you telling me you can just use vanilla iOS to store | TOTP like with Authy or Google's Authneticator or 1PAssword but | directly into the apple keychain? | | That seems nice | | Honestly I think apple could do a better job at camera -> qr ux | flow | Eric_WVGG wrote: | Yup. The catch is, it's kind of buried in System Settings. | | Cable Sasser wrote a blog post that was making the rounds a | few weeks ago, advocating for a dedicated app. He's right, | the existing Apple implementation works great but it's still | a lot for normies. | | https://cabel.com/2023/03/27/apple-passwords-deserve-an-app/ | nashashmi wrote: | It does do that. Point and aim camera at totp QR code and it | will ask to which account you want to store it to. | xp84 wrote: | > camera -> qr ux flow | | You mean the idiotic little tiny yellow popup which only | stays on the screen while the QR in view and must be tapped | to activate... WTF were they thinking right? (You can add a | "QR reader" button to your control center though which | functions in a more sane way.) | | Anyway yes you _can_ do that, but I wouldn 't use iCloud | keychain at all because your Apple account, including ICKC, | can be fully hijacked using _one_ factor only - the passcode | of the device an attacker has. People watch you unlocking in | a bar, then grab your phone and run. Google "joanna stern | iphone passcode" before moving any precious data into Apple's | control. | bobbylarrybobby wrote: | Actually apple updated it so that when you lose sight of | the QR code, the link gets moved to the bottom center of | the screen, where it stays for a while. Why it's not | _always_ positioned there, I don 't know. Having to chase a | moving target on your screen is some real dumb design. | divan wrote: | Thanks for the Joanna Stern story, didn't know that. | | But if an attacker has your iPhone with passcode they | surely get access to your Google Authenticator or Auth app. | How "not storing TOTP keys in iCloud" way is better in this | case? | Eduard wrote: | > Google "joanna stern iphone passcode" | | https://www.wsj.com/articles/apple-iphone-security-theft- | pas... | | https://archive.is/tn9aq | | TL;DR: if someone spies out your iPhone's passcode, they | may be able to hijack other accounts synchronized with it. | | In such situations, this simple passcode is like a master | password, with with critical things such as PayPal and | Apple Pay payments can be initiated to drain bank accounts. | | Two-factor authentication also doesn't help, as their | challenges can be approved easily once the iPhone is | unlocked with the passcode. | nashashmi wrote: | Lol. I remember the user who said to me "documentation or it | doesn't exist". | | And so I looked it up. Became pretty popular on hn. ___________________________________________________________________ (page generated 2023-04-24 23:00 UTC)