[HN Gopher] Google Authenticator now supports Google Account syn...
___________________________________________________________________
Google Authenticator now supports Google Account synchronization
Author : ortusdux
Score : 262 points
Date : 2023-04-24 17:11 UTC (5 hours ago)
(HTM) web link (security.googleblog.com)
(TXT) w3m dump (security.googleblog.com)
| kramerger wrote:
| Pro tip: Aegis works offline and can export and import to file.
| fabian2k wrote:
| Ahem, I think making it much easier to transfer and backup 2FA
| codes is extremely important to make this area more useable. But
| I'm missing some parts here in this announcement how the data is
| protected? Is the security the same as for the Google Account
| itself, or are there additional checks or protection for the case
| where you need to restore 2FA to another phone?
|
| And how are you supposed to handle the 2FA for your Google
| account? I mean I have U2F tokens which remove that concern, but
| that is far from the typical case. If you have the 2FA for your
| Google account in the Google Authenticator, which is probably a
| very common case, how does this entire thing work then when you
| need it, which is when you lose your phone?
| justeleblanc wrote:
| > And how are you supposed to handle the 2FA for your Google
| account? I mean I have U2F tokens which remove that concern,
| but that is far from the typical case. If you have the 2FA for
| your Google account in the Google Authenticator, which is
| probably a very common case, how does this entire thing work
| then when you need it, which is when you lose your phone?
|
| You open your safe and you use one of the recovery codes that
| you wrote down when you setup 2FA.
| howinteresting wrote:
| You have to meet people where they're at.
| tasuki wrote:
| Do you and people you know have a safe? Where I'm from, we
| generally don't use safes.
|
| Do you consider your safe to be... safe? I'd imagine it to be
| relatively easy to get into, by picking the lock or sawing
| through the safe.
| maxfurman wrote:
| A safe is extremely safe against hackers on the other side
| of the world. Quite safe against more local threats without
| special equipment and time on their hands.
|
| Security is relative to your threat model!
| tedivm wrote:
| Most decent safes are not trivial to pick, often using
| circular keys instead of the flat ones requiring a
| different type of pick. Newer safes don't even have
| keyholes but require that you actually know the
| combination.
|
| As for drilling or sawing through it, that's going to take
| _hours_ to do.
| JohnFen wrote:
| > As for drilling or sawing through it, that's going to
| take hours to do.
|
| This is true for expensive commercial safes, but not for
| home safes. You can drill/saw through them relatively
| quickly. What you can't do is drill/saw through them
| without making a whole lot of noise.
| wintogreen74 wrote:
| or a little water damage, or a fire lasting more than 30
| minutes.
| justeleblanc wrote:
| > Do you and people you know have a safe?
|
| Yes. I'm not taking about a safe like you can see in the
| movies. Just a locked box.
|
| > Where I'm from, we generally don't use safes.
|
| That's on you.
|
| > Do you consider your safe to be... safe? I'd imagine it
| to be relatively easy to get into, by picking the lock or
| sawing through the safe.
|
| That's not the point. 2FA is about thwarting password
| leaks. If someone has physical access to my house _and_
| knows my passwords, I 'm screwed, yes.
|
| But since I don't live in a Jason Bourne movie, my threat
| model isn't a ninja who steals my passwords then comes into
| my house to hack my tiktok account. My threat model is
| breaking my phone and knowing that my backup passwords are
| in a minimally safe place where I expect them to be and
| weren't carelessly thrown away with old documents; and
| deter casual "attackers" like a niece who could be inclined
| to plunder my papers for coloring material.
|
| And if I did live in a Jason Bourne movie, I'd expect the
| ninja to just beat me up when I get home and unlock my safe
| for him, assuming I had bought an unbreakable safe.
| mardifoufs wrote:
| So 2FA is just for the tiny, tiny minority with a safe?
| What... Am I missing an obvious joke here?
| JohnFen wrote:
| > > Where I'm from, we generally don't use safes.
|
| > That's on you.
|
| Wait, are we expected to have to buy safes to use the
| internet now?
| xp84 wrote:
| I mean, you should have a safe for a million reasons.
| Mine was bought from Groupon for $50 and wouldn't even
| keep out a determined teen if they didn't mind the
| intrusion being detected.
|
| It just gives you a single location in your house which
| you know nobody could accidentally open up and misplace
| the contents. It's where our passports and other
| foundational government documents, ATM cards, and yes,
| 2FA materials go. When you keep that kind of stuff in
| say, a desk or nightstand drawer, it's vulnerable to the
| 'oh crap, we cleaned out that drawer' attack, where you
| or your family members toss that stuff inadvertently.
|
| Try a safe, it's great.
| JohnFen wrote:
| Nah, I'm good. I have all the benefits you cite without
| having to bother with a safe.
|
| I was just reacting to the somewhat bizarre idea that
| owning a safe is something we should be expecting people
| to do for their online stuff.
| cooperadymas wrote:
| > And if I did live in a Jason Bourne movie, I'd expect
| the ninja to just beat me up when I get home and unlock
| my safe for him, assuming I had bought an unbreakable
| safe.
|
| Here I was thinking you might blow him up with the
| toaster. Or crash him into a garbage truck after an
| extenuated car chase.
| TeMPOraL wrote:
| We live in the era of smart toasters. You'll need to use
| your 2FA tool before you can blow someone up with it,
| which kind of defeats the point when chased by a ninja
| that's after your 2FA tool.
| jacobsenscott wrote:
| Just keep the backup codes in your wallet - most people
| protect their wallets pretty well.
| ndsipa_pomu wrote:
| I'd recommend obfuscating the codes in the event that you
| lose your wallet. You don't want a bad actor to find it
| and realise they can gain control of your account though
| they'd need to figure out your email first.
| darkvertex wrote:
| You can also buy a few cheap RFID stickers that can be
| overwritten from your phone. The cheapest stores like a
| kilobyte or so, which is plenty for quite a few codes.
|
| You can glue them in inconspicuous "boring" places in
| plain sight, like under a mousepad or behind a movie
| poster hung on the wall.
|
| Great way to hide secrets in your home without owning a
| traditional safe (which just screams "steal me! I'm the
| valuable thing in the room!" anyway.)
| blendergeek wrote:
| The main purpose of a home "safe" is fire protection. If my
| house burns down, the contents of my safe should be fine.
| Obviously a sufficiently motivated adversary can get in.
| But that (usually) isn't something I am worried about. Most
| internet hackers do not physically break into houses and
| open safes.
| [deleted]
| organsnyder wrote:
| Yeah, we actually keep the key in the lock in ours. If
| someone gets in and really wants to steal it (note to
| potential thieves: there isn't anything worth your
| while), they could just carry the whole safe with them.
| It's only for preserving important documents in case of
| fire.
| kbenson wrote:
| Many safes allow for securing to the floor, making
| porting it away require a bit more effort, possibly
| including power tools which are quite loud. Also they're
| quite heavy usually.
|
| I remember as a child someone broke into our house while
| we were away to steal stuff. The safe wasn't bolted down,
| and they carried it from one end of the house to the
| other before giving up, either because they got spooked
| by something and bolted or because it was just too damn
| heavy.
|
| Think about the logistics of it. If they're stealing a
| safe, that probably requires a vehicle. A vehicle is more
| identifiable and unless stolen makes it easier to track
| people if noticed or recorded. If stolen, there's a
| chance it will cause a problem immediately before, during
| or after the crime. If they don't use a vehicle, all the
| benefits of not using one, such as being able to take
| non-road paths and blend into crowds are negated. And if
| they choose to crack the safe on location, that adds time
| to the crime while doing so, and all time spent at the
| location of the crime increases the chance they'll be
| caught because someone notes something suspicious.
|
| Like a lock on a house a safe within a house serves it's
| purpose not by making it impossible to gain access but by
| making it much more troublesome and likely to be noticed,
| changing the risk to reward ratio.
| wintogreen74 wrote:
| Th "protection" from home safes is a joke: typically
| 30-60 minutes at temperatures less than the heat
| generated by a house fire.
| lapetitejort wrote:
| The house next door to me caught fire. By the time I saw
| the flames from my window and ran out the door, the fire
| truck was already preparing to douse the flames. Yes, I
| am lucky to live in an area with fast responses; no, not
| everyone is so lucky, yadda yadda yadda. But safes help.
| So do fire extinguishers. Get one for every floor in your
| house.
| NavinF wrote:
| 30-60 minutes is a very long time, do fire departments
| normally take that long to start dumping water on the
| house? Some site says "NFPA Standard 1710 establishes a
| 320 second or 5 minutes and 20 seconds 'response time'
| goal for not less than 90% of these type incidents."
| cyberbanjo wrote:
| Relatively easy? Relative to what?
| saltcured wrote:
| Relative to a naively imagined abstraction of a safe,
| perhaps.
|
| A decent home safe can be reasonable protection against
| that loose scrap of paper with backup codes ending up in
| the trash can and may even keep it legible in the event
| of a house fire. But it is true, it won't be much help if
| you are targeted by safe crackers.
| jaggederest wrote:
| Relative to the wrench attack, I guess:
| https://xkcd.com/538/
| kingcharles wrote:
| My entire storage building just burned to the ground with
| my safe in it, all my paper codes, my laptop with all my
| auth on it.
|
| Luckily by sheer fluke my phone was saved which has my TOTP
| apps on it or I would never get into anything again.
| ISL wrote:
| Why did the safe fail to protect the paper -- too hot,
| too long?
| djbusby wrote:
| "The what in where?" says typical user.
| bakugo wrote:
| Any user that didn't pay attention when they were loudly
| and clearly told "SAVE THESE CODES OR YOU MAY LOSE YOUR
| ACCOUNT" probably doesn't actually care about their account
| that much.
| wintogreen74 wrote:
| Uhm, really? Company punts on how to actually secure it
| by saying "store in a safe place" so now it's all on the
| user? Aren't we back to writing your long, complex PW on
| a post-it note then, with the extra step of "lock up your
| post it!"?
| bakugo wrote:
| > Company punts on how to actually secure it by saying
| "store in a safe place" so now it's all on the user?
|
| Yes, it's on the user, who else would be responsible for
| that? A Google employee isn't gonna go to your house to
| install a safe for you so you can store it securely. You
| can argue all day that the average person often can't be
| trusted with these things but I fail to see how this is
| anyone's problem except their own, at some point we need
| to stop treating adults like babies that need their hands
| held through everything and let them learn that their
| decisions have consequences.
|
| 99% of people don't need that kind of security any way,
| just keep a piece of paper with the codes somewhere
| hidden that you can remember, you don't need to have
| access to them all the time unlike a normal password.
| xp84 wrote:
| I much prefer this approach (and can take responsibility
| because I feel perfectly empowered to make as many copies
| and backups of my recovery keys as I need to make it
| effectively impossible for me to ever be locked out), but
| this whole thing points to how giving people the security
| they claim they want is at odds with their convenience at
| every touchpoint. I have repeatedly refused a family
| member's request to set a front door access code that is
| any family member's birthdate, a very common habit
| because _that 's the kind of thing people want to use._
|
| I continue to believe that security for nontechnical
| users is not a solved problem. WebAuthN or whatever may
| someday help solve this puzzle, but only if someone
| packages it in a way that is so frictionless that it's
| _easier_ than just using your birthday and initials as
| your password for every account like my dad did. And if
| the recovery story for the "All my electronic devices
| fell into a lake" situation is something less exploitable
| than the pathetic SMS. I'm thinking notarized letter as
| someone else pointed out.
| shadowgovt wrote:
| > at some point we need to stop treating adults like
| babies that need their hands held through everything and
| let them learn that their decisions have consequences.
|
| Never underestimate the _massive_ market advantage gained
| from treating adults like babies and handling all manner
| of frustrations for them.
|
| UX researchers would call that "A good user experience."
| TeMPOraL wrote:
| Or maybe, when they're first setting this up, excited
| about the new thing in their life that is their first
| smartphone or something, they don't realize yet that
| couple years down the line, half the things in their life
| will be gated by the Google account login form.
|
| When first set up, the Google account really _isn 't
| something to care about_. It only over time, and you
| getting used to all the conveniences it offers, that it
| slowly but surely becomes important.
| booi wrote:
| Can you just reset my password to P@ssword2023!
| ndsipa_pomu wrote:
| No, it can't be a previous password
| dexterdog wrote:
| It was P@ssword2022! previously
| qup wrote:
| It must contain a bizarre character that you would
| normally never use in a password.
| TeMPOraL wrote:
| > _You open your safe and you use one of the recovery codes
| that you wrote down when you setup 2FA._
|
| HN rarely does humor, but when it does, it _really cuts
| deep_.
|
| Can you really expect a typical person - including the tech-
| savvy ones - to keep a hastily written piece of paper for _a
| decade_ or more, without losing it? My code card is clocking
| on a decade, I needed it only once (so far), and it 's only
| pure luck that, in all those years, I haven't accidentally
| destroyed it or thrown it away.
|
| Also: it only recently became apparent just how bad it is to
| lose access to your Google account. Most tech-savvy people I
| know don't even realize how many things in their lives are
| gated by that little login form. Non-tech-savvy folks? Maybe
| they'll figure it out in a decade, after enough people became
| thrust into poverty for the lack of Google 2FA recovery codes
| - enough many that it's as boring news story as car
| accidents.
| JohnFen wrote:
| > Can you really expect a typical person - including the
| tech-savvy ones - to keep a hastily written piece of paper
| for a decade or more, without losing it?
|
| Personally, I keep these in my password manager. My
| password manager is offline-only, and the database is
| regularly backed up, so this makes sense for me.
| kmeisthax wrote:
| What you're describing already happened. When Google turned
| on 2FA for everyone, every librarian in the country was
| inundated by homeless people and old people who had just
| been summarily evicted from the Internet.
| skybrian wrote:
| Where do you keep your passport, if you have one? Your
| birth certificate? Any other important papers you have?
|
| No, it's not reasonable to expect everyone to be well
| organized. Life can be chaotic. People lose stuff. We know
| this. Some people are so unfortunate as to lose _all_ their
| stuff. Repeatedly. The level of organization people have
| varies extremely.
|
| But I do expect there are hundreds of millions of typical
| people with houses and sufficient organization to hang onto
| to their important papers, and it's a good idea to add your
| backup codes to your other important papers. It's good
| advice, though not always applicable.
| crummy wrote:
| > Where do you keep your passport
|
| Honestly, losing my passport probably wouldn't be as big
| a deal as losing access to my Google account.
| jpalomaki wrote:
| This is why I don't like when people outright dismiss SMS
| as suitable second factor. Yes, it has problems, but it
| also has a recovery mechanism that is accessible for
| "ordinary peope".
|
| The best solution (for me) would be to connect the Google
| Account to my government issued identity and utilize the
| strong authentication provided by government for account
| recovery.
| xp84 wrote:
| > SMS as suitable second factor
|
| It could be suitable, within certain boundaries _, but
| no, given that sim swapping just means bribing (or simply
| social engineering with a crude fake ID) a minimum wage
| worker at a mall store, anyone whose identity is worth
| more than $50 to steal should never even consider it.
|
| _ For example, if it could only be initiated from a
| browser where you have successfully signed in on at least
| two different days, or from a residential IP where you
| were seen recently.
|
| I would much rather see a mailed postcard, as the last-
| resort fallback to a TOTP. Better to be locked out of
| your account for 4 days waiting for the mail, than to be
| locked out of it indefinitely while the criminal has full
| access.
|
| > my government issued identity and utilize the strong
| authentication provided by government for account
| recovery.
|
| Yes, that seems so obvious and yet to my American ears it
| sounds almost like science fiction. People here
| unironically argue that a national ID card is the Mark of
| the Beast from the Bible.
| WorldMaker wrote:
| I've been joking about a need for "notary factor" for a
| long time. There's an existing, deep and distributed
| network of notaries public that could be reused for
| stronger authentication in the modern world. In classic
| banking if you had a recovery problem you could send
| certain types of notarized letters to get stuff done. It
| was slow: however long it took to prepare the letter,
| find a notary public to get it notarized, and then
| presumably snail mail it to its destination. But
| sometimes _slow_ is better: if someone is trying to steal
| my account, if they need to get the right forms notarized
| and mailed to the right PO Box, there are many steps
| along the way where I can intercede or a notary public
| can interject ( "I won't notarize this because my ethics
| do not allow it.") or presumably human recipient at a PO
| Box can reject the mail for any number of violations or
| failures of documentation.
|
| I think it would be great if the recovery mechanism for
| "ordinary people" took about the same amount of time as a
| notarized letter. In that worst case where you are locked
| out of your account for a week or two it won't feel
| great, but it also helps you feel better that some jerk
| trying to steal your stuff can't do it any faster either.
|
| There are all kinds of fun technical things that could be
| used to actually build interesting "notary factor" tools.
| I think tech companies mostly reject how cool it could be
| to build because they see "slow" as a "bug" rather than a
| "feature".
| l33tman wrote:
| Can't you recover your google account by SMS, even if you
| have GA turned on?
| dahwolf wrote:
| I do quite a lot of tech support for older people and would
| add that forgetting passwords isn't the only issue, an even
| larger issue is people not understanding passwords at a
| conceptual level.
|
| Try as I might, my mother doesn't understand the difference
| between an iPad device PIN, an Apple ID (rarely needed),
| her email password on this same device (Google-based in
| this case) and add a few dozen more.
|
| All she knows is the device in her hand. The abstract model
| we have where we separate device, service, app, web page,
| different companies...simply does not exist for her, it
| does not compute. So even if she'd have the discipline to
| write down things, it would still not work. She doesn't
| even grasp what part is asking for what.
|
| There's a reason big consumer services like Google and
| Facebook have not enforced 2FA: a vast population will
| severely struggle understanding what the hell it is and
| what to do.
|
| Even when you do enable 2FA on Google yourself, it runs in
| "soft mode". It doesn't ask for 2FA for previously trusted
| devices/locations. Surely for good reasons.
| charcircuit wrote:
| I believe the idea is that for as long as you still have 1
| device signed in you can recover it by using one of the codes.
| ocrow wrote:
| Yep. Also missing from the announcement are any instructions on
| what people need to do to use the feature.
| xattt wrote:
| Nor the follow-up necessary should your account happen to be
| randomly blocked.
| kevincox wrote:
| > To try the new Authenticator with Google Account
| synchronization, simply update the app and follow the
| prompts.
| nixcraft wrote:
| Here they have support page
| https://support.google.com/accounts/answer/1066447
| vb6sp6 wrote:
| [dead]
| jbverschoor wrote:
| Post by "Group Product Manager". It's a pretty useless post.
| Could've been 2 sentences.
|
| From the support page:
|
| > If you're signed in to their Google Account within Google
| Authenticator, your codes will automatically be backed up and
| restored on any new device you use.
|
| Still doesn't explain how it works. On the same page they're
| talking about synchronization:
|
| > Google Authenticator 6.0 on Android and 4.0 on iOS introduces
| the option to keep all your verification codes synchronized
| across all your devices, simply by signing into your Google
| Account.
|
| I don't understand why "people" think it's a good idea to hide
| any form of mental model or technicalities.
|
| Provide people with a mental model. It will make it easier to
| understand all the Ws. People are not stupid. They will
| understand, as long as you can describe it properly.
| exabrial wrote:
| Is this the same way Google Podcasts works, where I "have to"
| have "web, location, and usage history tracking" enabled to
| subscribe to a podcast? lol
| glintik wrote:
| OMG, aftet so many years Google was able to hear users! Before
| this update I had to use two phones synching them manually.
| dirtyid wrote:
| [flagged]
| gigatexal wrote:
| If any PMs at Google are reading this for this product please,
| please, please, for the love of god let me export my Google
| Authenticator TOTPs back and forth from other managers like
| Bitwarden or 1password etc. I know it's against your interest but
| it's in the interest of the end user.[1]
|
| [1] yes I know there are github projects that make this doable
| but it's super involved whereas it doesn't need to be.
| crossroadsguy wrote:
| Quite interesting to see that Google Accounts, known for locking
| users out i.e AI auto-banning without recourse, might become a
| major gatekeeper of other accounts as well.
| xp84 wrote:
| Indeed. I find it extra concerning because their "risk based"
| system which can simply decide you're locked out -- even when
| you know your login! -- just because it doesn't recognize your
| IP or cookies, offers no guaranteed from-scratch recovery
| unless you have set up the glaring security hole that is SMS. I
| have an extra throwaway Google account (thankfully for nothing
| important) whose password I never forgot, but which I simply
| cannot log into ever again because I didn't set up any 2FA or
| recovery email, and Google just decided it didn't like the look
| of me one time.
| roopakv wrote:
| I remember pushing for this when i was at Google ~5 years ago. I
| wasn't on the team but I wrote 2 proposals, one to do QR code
| export and imports and another to sync codes using the google
| backup framework.
|
| Neither was approved nor denied, just in limbo. But nice to see
| that both features have finally shipped. Sadly I have switched
| away to 1P, too much effort to move it all back.
| briffle wrote:
| > Sadly I have switched away to 1P, too much effort to move it
| all back.
|
| It seems like a very, very bad thing to store both your
| passwords, and TOTP codes in the same tool...
| bdcravens wrote:
| I agree, and I'm a huge 1Password fan.
|
| I use Authy instead, which also backs up TOTPs.
|
| I'm also having the same thoughts about Google Auth: my email
| (Gmail) is a big target for gaining access to the rest of my
| digital life, and putting 2FA in the same hands seems risky.
| I'd need to do more evaluation to consider leaving Authy.
| psanford wrote:
| The main point of TOTP is that users passwords are mostly
| weak and reused across sites. TOTP protects those users from
| password stuffing and similar attacks.
|
| If you are using a strong random password generated from 1PW
| you've already mitigated against that threat. TOTP isn't
| buying you much additional security. So for most folks it is
| just fine to store you TOTP seed in 1PW.
|
| Unlike TOTP, passkeys _do_ buy you additional security in
| their phishing resistance. So you should always prefer
| passkeys/fido2 keys to TOTP if that is an option. Its still
| fine for most users to use 1PW as your passkey storage.
| Takennickname wrote:
| It literally protects you from key loggers. Isn't that
| important?
| psanford wrote:
| In practice, no. Key loggers are a minuscule threat to
| account security compared to weak passwords and password
| reuse.
|
| But lets say you are in fact a user that gets targeted by
| an adversary capable of deploying a key logger against
| you. Does TOTP protect you? No! If you are compromised to
| that point, the attacker is also in a position to just
| hijack your sessions.
|
| There isn't a threat model out there that is trying to
| solve the problem of "my end user device has been
| compromised but I still want to be able to use it to
| access sensitive systems without those systems being
| compromised."
| hirsin wrote:
| Token binding was the closest we had - still lets a
| compromised endpoint in the right position steal and use
| the tokens from that device, but it's at least not
| persistent.
| Takennickname wrote:
| True
| tasuki wrote:
| > If you are using a strong random password generated from
| 1PW you've already mitigated against that threat. TOTP
| isn't buying you much additional security.
|
| Why isn't TOTP buying much additional security?
|
| It seems to me that apart from password reuse it's
| mitigating many other potential problems: keyloggers
| leaking passwords from your device, passwords leaking from
| the authenticating server, etc.
| xyzzy_plugh wrote:
| Furthermore the risk exposure to using TOTO in 1pw is
| almost insignificant. You can configure your 1password
| account to require 2FA when setting up new devices, and
| unlike Google here the decryption requires manual knowledge
| not shared with the cloud.
|
| The only argument I can imagine is that if someone gets
| ahold of your phone it's either locked and they can unlock
| it or it's unlocked, in which case either your 1pw account
| and/or other TOTP apps are either locked or unlocked. In
| the worst case scenario where everything is unlocked,
| having a separate app is negligible.
|
| Besides, AFAIK Google Authenticator doesn't require
| additional unlock steps, unlike authy or 1password.
|
| You're better off worrying about how to avoid TOTP and
| securing 1password than about having TOTP codes stored
| alongside your passwords.
| roopakv wrote:
| Very true, however as others have pointed out it all comes
| down to levels of security.
|
| There are many non important accounts where I have 2FA, and
| both the password and the TOTP is in 1p. This should suffice
| for any brute force password attacks. However there are some
| accounts (like google) which one can consider more important
| for which I keep the TOTP on a separate app like Authy.
|
| More recently I've been switching to yubikeys where possible.
| r00fus wrote:
| As a former Google Auth user, who bungled my own phone
| migration a few years ago - yeah, defense in depth is better
| but at the time, I was furious there was no way to recover my
| Google Auth and I had to go to every single service and reset
| my 2FA.
|
| Storing both on 1Pass is not as secure, but the option is
| that once in a while you misstep and spend a week restoring
| TOTP setup (or lose entire accounts because your service
| provider has no functional customer support) then I'm
| amenable to stable but less secure options.
| nighthawk454 wrote:
| Eh, it's still better than not having it. Which is likely the
| bar for a lot of casual users. Mostly the goal is to prevent
| password reuse I think, which comes down to convenience. And
| unless 1pass gets hacked (which could happen! see: LastPass)
| it's relatively secure for that purpose.
| unethical_ban wrote:
| I'm more concerned about the one tool being cloud-based than
| anything.
|
| I keep my 2fa backup codes in my Keepass safe. Where else
| will I keep them?
| ClassyJacket wrote:
| I would've even been happy if they didn't block you from
| screenshotting the QR export code. This has caused me so much
| pain over the years but nope, they refuse to change it.
|
| This basically means you can never factory reset your phone
| without someone else using their phone to help you, which means
| you're forced to share your entire account and all your codes
| with a third party who might keep them forever.
|
| You also can't preemptively back it up in case your phone is
| stolen or lost.
|
| But nope, Google thinks they know best and in 2023 they still
| actively block you from keeping your accounts safe. It's mad.
| Gareth321 wrote:
| Years ago I got FUCKED when I used Authenticator and bought a
| new phone. I just assumed everything would be backed up to
| iCloud, like everything else. I lost access to accounts which
| were almost impossible to retrieve. Millions of people have
| been screwed thus, turning people away from 2FA. I can't
| believe it has taken this long to enable sync.
| elbigbad wrote:
| Yep, I've been using Authy for years because of this. Before
| that, I would have a second phone with GAuthenticator on it
| and when I scanned the QR code to set up a new account, I
| would do it with both phones simultaneously to make sure I
| had a backup. It always struck me as absolutely ridiculous.
| [deleted]
| pkaye wrote:
| Why couldn't you use your old phone to get access and switch
| over?
| nness wrote:
| If you damage your Android screen it is basically useless
| unless you have pre-emptively set up some kind of remote
| access process...
|
| Twice I've had to spend hours manually resetting/renabling
| my 2FA after a phone was damaged, and sans buying a new
| screen just to get a backup of the phone, there aren't many
| other options.
|
| (Similarly, this was the time I learnt that the UK gov does
| not issue backup codes for their 2FA and you just have to
| spend 45 mins on hold to have them reset it for you.)
| TeMPOraL wrote:
| Exactly this. I bought my current phone after I dropped
| my previous one and cracked its screen. I was only able
| to recover access to critical services because I have
| previously set up some Tasker automation connected to my
| Pebble watch, which enabled me to navigate the phone "in
| the dark" enough to turn on AirDroid, allowing me to
| screen-mirror the phone to the PC. Of course, all the 2FA
| tools have this stupid idea of blacking the screen when
| it's being mirrored - but fortunately, I was able to turn
| on USB debugging this way, at which point I plugged the
| phone in and used scrcpy to show a fat middle finger to
| Google and plain recover everything from Authenticator.
| dcchambers wrote:
| Now imagine trying to explain this to anyone outside of
| the tech industry. I imagine only a small percentage of
| software engineers and IT folks in general would be able
| to accomplish what you did. How easy it is to
| accidentally fuck yourself over with app-based 2FA is one
| reason I've been hesitant to recommend it to my non tech
| savvy friends and family. While SMS 2FA is a lot less
| secure, it's at least pretty much idiot-proof.
| teaearlgraycold wrote:
| You can get the database out of the phone. It requires adb
| and root, though.
| allday wrote:
| Our onboarding docs specifically tell employees to NOT use
| Google Authenticator precisely because of this issue. I have
| no idea how Google let this fester for so long, literally if
| even one (1) person over there was using it and got a new
| phone, they should have known about the issue.
| nanidin wrote:
| The app has supported bulk QR code export and import for
| years. This makes it easy to transfer to a new phone, and
| relatively easy to make physical backups.
| bobbylarrybobby wrote:
| Right, just like I can carry a thumb drive around with my
| files and manually sync between every computer I use. Or
| just use Dropbox...
| hirsin wrote:
| Which only worked if you had both phones working at the
| same time... I'd bet a sizable portion of new phone
| enablements are due to losing the previous phone
| irrevocably.
| nanidin wrote:
| The QR code encodes the actual secret data for the TOTP,
| so backing up the QR code is sufficient.
|
| Screenshot -> Print is one backup method.
|
| Screenshot -> Encrypt -> Save to secure location is
| another method.
| spear wrote:
| You'd save the QR code at the time you first used it on
| the old phone, and not wait for when you needed to
| transfer it.
|
| For me, I'd usually be on the desktop when setting up 2FA
| anyway, so I'd just save the QR code from the desktop
| browser ("Save image as ..."). When I needed to set up a
| new phone, I'd open the saved image on the desktop and
| point my phone at the screen.
| ClassyJacket wrote:
| Nope, you can't screenshot the page, so you can't save
| the code and can't send it to another phone. This means
| you can never trade in a phone for a new one and if your
| phone is lost or stolen you're locked out of all your
| accounts forever.
|
| They actively added code to prevent you taking
| screenshots, which is insane but true.
| nanidin wrote:
| I'm on iOS and I'm able to screenshot the QR code with
| version 3.4.0 of the app. Maybe the screenshot lockdown
| is limited to Android?
|
| In any case, if you're trying to create a backup there
| are other avenues of capturing the QR code - offline
| digital camera is probably the most secure way of doing
| so.
| WheatMillington wrote:
| What if I drop my phone into the lake and need a new
| phone?
| nanidin wrote:
| Well, hopefully you created a backup by storing a copy of
| the QR code somewhere :)
| unethical_ban wrote:
| Interesting - but not good enough. For the threat model
| TOTP solves, it is not absurd to want Authy-like
| functionality where codes can be backed up, encrypted, to
| a cloud service OR like Authone (?) which allows you to
| export the data to a file.
| apocalyptic0n3 wrote:
| Yeah, same with my company. "DO NOT USE GOOGLE
| AUTHENTICATOR" is littered throughout our Intranet and
| onboarding docs in bold letters with recommendations for
| different options. And people still use it and lose their
| codes all the time.
|
| Now it's tied to the Google Account which means it'll be
| tied to either their personal or work account and now we
| have to worry about personal account bans removing their
| 2FA or when they leave the company, our suspension process
| killing personal 2FA that were synced via the wrong
| account.
| et-al wrote:
| fwiw, Google Authenticator starting with 3.1.0 started
| supporting exports via QR code.
| nonfamous wrote:
| Yeah, but only as a means of transferring them to another
| device. Sure, you could abort the flow before the existing
| codes were deleted, but it was far from ideal.
|
| I'm glad there's finally real support for backing up codes.
| mgbmtl wrote:
| Hmm no, I use this from time to time, and it really is just
| a way to copy the codes to another device. It won't delete
| them from the original device. It notifies the device owner
| after a few minutes that the TOTP have been exported, and
| it keeps a log of exports.
|
| I'm in the process of moving to Aegis. It's FOSS, encrypts
| the file on the device, and supports the biometric lock. It
| can do a daily backup to a few sources, including the
| Google backup (I think) and personally I dump it to a
| folder that my Nexcloud will automatically upload to my
| personal server.
| ClassyJacket wrote:
| It doesn't delete them from the existing device. However,
| it exports them via qr code, which it prevents you from
| screenshotting, meaning you can never factory reset your
| phone or protect yourself from theft or loss. You can only
| transfer to another phone when you have both devices
| working at the same time.
| wildpeaks wrote:
| Does the export invalidate the existing device after export ?
| it sounded like it's only for moving to a different device
| rather than having two at the same time.
| wiredfool wrote:
| Not on iOS within the last year or so.
| neves wrote:
| QR code export is an old feature. I have an Android emulator in
| my desktop justo to have backup of my codes.
| adrr wrote:
| That was worst thing about google Authenticator was migrating
| to another device and amount of support my IT team had to deal
| with people upgrading phones. I can't believe how long it took
| for an export feature.
| admn2 wrote:
| Yeah, I switched away from Google for this reason. Pretty
| wild to think of the implications of losing your phone and
| having no backup. Even switching phones required resettings
| all your codes. Authy is a mess, but at least had this
| functionality when they were still actively worked on.
| princevegeta89 wrote:
| All you need is the OTP secret. I have all of mine stored in
| my bitwarden. I can plug and play them in any supporting app
| to keep generating the 2fa codes.
| justeleblanc wrote:
| Nice to see it catching up. It feels like competitors (MS
| authenticator, 1P, the iOS thing...) have had it for ages.
| bilal4hmed wrote:
| I have started using Aegis on android which is fantastic. Backup
| and restore anywhere.
|
| My advice would be to not have everything in one place, no matter
| which ecosystem you are on. Going all in is never a good idea
| whether its Google or Apple. Its great that Google has done this,
| but just use another app to manage that.
| mmh0000 wrote:
| If you're on Android, you should checkout FreeOTP+[1], a far
| better OTP client.
|
| FreeOTP Plus forked the same functionality of FreeOTP provided by
| RedHat with the following enhancement:
|
| * Export settings to Google Drive or other document providers
|
| * Import settings from Google Drive or other document providers
|
| * Enhanced UI with material design with dark theme support
|
| * Search bar to search token
|
| * Provide more token details for better interoperatibility with
| other apps
|
| * Utilize modern camera hardware to scan QR code faster
|
| * Option to require Biometric / PIN authentication to launch the
| app
|
| * Heuristic based offline icon for tokens of 250+ websites.
|
| * More settings to customize the app functionality
|
| [1]
| https://f-droid.org/en/packages/org.liberty.android.freeotpp...
| nashashmi wrote:
| I recommend http://totp.app for Android. You can even set the
| app as default on Android.
| moogly wrote:
| Or Aegis Authenticator. It is basically a perfect app IMO.
| tacker2000 wrote:
| To be honest i wouldnt trust google with any accounts anymore. If
| you somehow get your account locked or banned, for whatever
| reason, youre screwed forever.
| 0xbadcafebee wrote:
| I'm also on 1Password. No idea why I would use Google
| Authenticator. "Hey we have Google Password Manager" - that's
| great, so I can be locked into your platform while you take
| another 13 years to implement a basic feature? No thanks? I'd
| rather pay a company that cares about my experience, thanks.
| explodingwaffle wrote:
| While we're complaining about Google's 2FA offering...
|
| The issue described here started happening to me recently:
| https://www.googlenestcommunity.com/t5/Apps-Account/Why-is-G...
|
| Summary- Google has added a "match the numbers in the app" style
| 2FA to YouTube. Makes sense- their video monopoly means that for
| many iOS users like myself it's the only Google app they've got.
| Except...
|
| 1) It's the default, and there's no apparent way to change it, or
| even turn it off. This is annoying- I prefer TOTP since it's more
| secure. There's a Google Prompts section in the 2FA settings, but
| it says that I don't have any supported devices. This actually
| makes sense, because
|
| 2) It doesn't f*king work! Ever since they changed it from "press
| yes" to "match number", the screen opens in the YouTube app and
| then loads forever. Which means I've got a spurious notification
| on my phone, a screen to dismiss next time I open the YouTube app
| (or several, because for some reason they can stack), and two
| extra clicks every time I log into Google on a new device.
|
| Actually, I lied earlier- there is one way to disable it, and
| it's to DISABLE ALL 2FA, as you can see people doing in that
| support thread. I honestly don't blame them, but clearly less 2FA
| was not the plan of whoever's idea this was. Speaking of support
| forums- I don't think anyone at Google reads them, but they do
| read HN :))))
| hyperdimension wrote:
| Wow, that link is such a great example of Google's "support."
|
| "This channel is for troubleshooting Google devices. It is best
| to report this with YouTube support for better assistance.
| [...] I'll be locking this thread after 24 hours."
|
| ...just because the initial report contained the keyword
| 'YouTube', presumably. The reporter clarified the situation,
| and a different "support" team member comes in and regurgitates
| the same canned response! On Google's side, why even bother
| replying at all if that's all you're going to do?
| 0xbadcafebee wrote:
| > On Google's side, why even bother replying at all if that's
| all you're going to do?
|
| Oh, it's just so they can claim to their advertisers that
| they do support.
|
| Remember: if you're not paying for the product, you _are_ the
| product!
| (https://en.wikipedia.org/wiki/Television_Delivers_People)
| devnullbrain wrote:
| >Remember: if you're not paying for the product, you are
| the product!
|
| This cliche isn't true: if you pay, you're a more valuable
| mark. You're always a product.
| dontblink wrote:
| Just an FYI here: Google's community support forums aren't
| well named as their intended purpose is for users to answer
| other user's questions. For the community to support each
| other.
|
| For actual support you need a paid account to reach out to.
|
| You could argue that it's badly named and should just be
| called Google's community forum instead, which is what it
| really is.
| hyperdimension wrote:
| That's pretty funny and makes sense. I guess I shouldn't
| have expected anything more from Google. Thanks for the
| clarification.
| lasr_velocirptr wrote:
| One of the potential solutions might be to just treat youtube
| as a separate service i.e. create a separate account for
| YouTube with 2fa disabled.
|
| It's not ideal since you need to deal with two accounts but
| that's what password managers are for.
| NavinF wrote:
| Never encountered that. Is this because I got lucky in an A/B
| test or because I have Advanced Protection turned on and only
| use FIDO keys?
| getpost wrote:
| A certain webhost requires me to Authenticator for 2FA, and I did
| so. I also configured my iPhone to delete unused apps.
| Authenticator was unused, and got deleted, so naturally, I had to
| open a support ticket with the webhost to remove 2FA to regain
| access to my webhost account. I hope this feature will maintain
| my setup if the app gets deleted.
| murat124 wrote:
| Why did it take so long? 2FA has been around for quite some time
| now. Was there a push back at Google? Or, just neglect?
| sylware wrote:
| ... and noscript/basic (x)html browsers ?
|
| mmmmh....
| tzs wrote:
| Note that there are two kinds of backups possible for TOTP
| secrets:
|
| 1. Backups that are specific to the app that made them. They can
| be used to restore the secrets to that same app on a new or
| replacement device, but might not help if you want to migrate to
| a different app.
|
| 2. Backups that can be restored to other apps.
|
| If you aren't sure you are going to stick with the same TOTP app
| long term this could be important.
|
| Sometimes there are third party tools that can take #1 type
| backups and give you back the secrets in a form suitable for
| other apps.
|
| For example, Google Authenticator can export the secrets in the
| form of a QR code that contains the secrets for multiple account.
| Another instance of Google Authenticator can read that, but other
| TOTP apps might not be able to. But this tool [1] knows how to
| take the information in that QR code and decode it and split it
| into the individual secrets for each site. It can even generate
| QR codes of those for scanning into another TOTP app.
|
| If you want #2 type backups that just work with most TOTP apps,
| there is a fairly easy way to get them. Whenever you set up a new
| account and a site gives you a QR code, simply take a screenshot
| before using that QR code to finish setting up the new account.
|
| Store your collection of QR code screenshots somewhere safe.
|
| If you ever want to migrate to a new TOTP app or to the same app
| on a new device open those saved screenshots and scan the codes.
|
| If you've got an image display program that will let you open
| many at once restoring can be pretty fast. On my Mac for example
| I just do "open *.png" in the place I have the screenshots. That
| opens them all in Preview, with each one being a separate page.
| Then I tell preview to show one page at a time.
|
| Then it is a matter of scanning one, hitting "page down" on the
| keyboard, and repeating until they are done. After two or three
| I'm in the groove and it goes pretty fast.
|
| [1] https://github.com/dim13/otpauth
| TacticalCoder wrote:
| > backups possible for TOTP secrets: > > 1. Backups that are
| specific to the app that made them
|
| I never thought about that. I always backup the key _before_ I
| first use it, when it 's shown for the very first time. Heck,
| I've written a CLI / text TOTP app (using some Java TOTP
| library) for my own use (fully offline / airgapped / paasword
| protected / showing six codes at once for the same code [+1
| hour / now / -1 hour and previous code / current code / next
| code] and which also shows a public/commonly used example code,
| which is convenient to diagnose sync/clock issues).
|
| > But this tool [1] knows how to take the information in that
| QR code and decode it and split it into the individual secrets
| for each site.
|
| Like JBSW Y3DP EHPK 3PXP ?
|
| In my experience every site that shows the QR code offers the
| possibility to see that secret (and those that don't are
| misleading users into thinking it's more complicated than it
| is).
|
| A TOTP secret is just that: 16 or 24 or whatever characters.
| The QR is just an encoding of these characters. The "issuer"
| serves no role other than autofill the name of the service for
| you (and you're not forced to use the issued nameL you can use
| any name you want).
|
| I never _ever_ scanned a QR code to configure 2FA / TOTP for
| any site. I write the 2FA code down, then encode what I've
| written down (in at least two devices).
| ajonit wrote:
| If Google ever decides to kick you out of your account,
| Authenticator data will be gone. Google has done this on several
| occasions in the past.
|
| I would still prefer independent app for password manager and
| another for TOTP with backup enabled for all.
| nikeee wrote:
| Does that mean one can use adb to backup Google Authenticator's
| data as well? Last time I tried, the app data was explicitly
| marked as excluded in backups. I started saving the secrets
| somewhere else because otherwise, I wouldn't be able to have
| _any_ backup.
| flippinburgers wrote:
| There are alternatives like aegis. People should just turn their
| backs on google auth all together.
| hammyhavoc wrote:
| Too little too late. Moved to BitWarden with a VaultWarden
| server.
| amaccuish wrote:
| Such a bizarre app. Instead of implementing push notifications in
| the "Google Authenticator" app, Google decided to add the logic
| to all other apps like YouTube. Before we introduced Okta, our
| users would get notifications like "Open the YouTube app on your
| phone to approve this login".
|
| Whilst clever for the people who don't have Google Authenticator
| installed, it's just bizarre to ignore it when it's there.
| [deleted]
| ellm wrote:
| Google's preference of their weird, bespoke authenticator over
| TOTP is also very annoying to anyone who would rather not. (it
| is required to add any additional authenticators, and the
| default authenticator)
| joshuamorton wrote:
| It's more secure though.
|
| TOTP are still phishable, the push notification includes
| information on where you're logging in from, so you at least
| have a chance to notice that the login is coming from Croatia
| and not your house.
|
| FIDO is still vastly better though.
| mgbmtl wrote:
| With Google Authenticator, there is no notification, is
| there? As a user, you have to open your phone, open the
| app, then scroll to the right code, and copy/paste it. (The
| lack of search in one of the reasons that made me switch to
| Aegis)
|
| I always thought Okta was kind of weird, because it's just
| a notification that says "allow/deny" and it's easy to
| click the wrong one.
| joshuamorton wrote:
| It's possible I'm confused by GP, but there's two things
| being discussed here I think:
|
| First, Google Authenticator, which is in fact just totp
| which can be used for both Google 1p and any 3p TOTP
| thing. And second Google's push-notification based auth
| checks which are used for only certain 1P Google apps
| (like logging into your gmail or youtube).
| Lammy wrote:
| They also once bizarrely replaced the
| `com.google.android.apps.authenticator` package with the new
| (and still used) `com.google.android.apps.authenticator2`,
| making everyone set up their accounts all over again or forgo
| updates: https://www.androidpolice.com/2012/03/22/psa-googles-
| authent...
|
| The old one has its name changed to "(old)":
| https://play.google.com/store/apps/details?id=com.google.and...
| fullstop wrote:
| Too late, Google, I already switched to Yubikey. I kind of like
| that my TOTP keys are a separate entity from my phone.
| stronglikedan wrote:
| Yup, I'd rather pay Bitwarden a nominal fee and be able to
| authenticate everywhere, than deal with the incredible amount
| of unnecessary friction google has imposed since forever. Never
| going back.
| bombolo wrote:
| If only that was more broadly supported.
| fullstop wrote:
| Where is it missing support?
|
| edit: I want to reiterate that these are still TOTP codes and
| not WebAuth/FIDO2.
| bombolo wrote:
| Oh I thought you meant those usb devices that need to be
| set up, like google titan and similar.
| fullstop wrote:
| Ah, no, these can connect to a PC over USB and to a smart
| phone over USB or NFC to generate a 6 digit TOTP code,
| just like Google Authenticator does.
|
| They can also do more sophisticated things, but that's
| not what I was referring to here. Those sophisticated and
| more secure things are supported by Google, Facebook,
| Dropbox, Github, etc, but not by most banks. Banks are so
| slow with this stuff and still do SMS-based 2FA which is
| absurd to me.
| throw7 wrote:
| Storing it in the google cloud doesn't satisfy me. I just simply
| want the codes under my control. The current authenticator did
| finally allow export to qr code, but google still makes it
| stupendously difficult to just get a simple text export to a
| file.
|
| It's not been a problem for me though as I've just always saved
| the otpauth code from the start.
| kobalsky wrote:
| I save the qrcodes in an encrypted folder than I can quickly
| import into a yubikey with: for i in *.png;
| do uri=`zbarimg -q --raw "$i"` && ykman oath accounts uri
| --touch --password "MYYUBIPASS" "$uri"; done
| ianopolous wrote:
| How about they support the algorithm parameter in the TOTP spec,
| rather than silently ignoring it and hard-coding hmacSha1?
| mullingitover wrote:
| Google's authenticator has been outright harmful in how neglected
| it has been, especially when it comes to backing up your codes
| outside the app. This should be a very full-featured and well-
| maintained application considering how essential it is for
| security.
|
| For years I've been telling anyone who'd listen to use Authy
| instead.
| tonymet wrote:
| Good move . for too long usability suffered .
|
| most of these security protocols fail to scale . what happens
| when you have 30 tokens and you get a new device ?
|
| many vendors are still requiring a phone call.
|
| security without usability is just cosplay
| izacus wrote:
| If anyone is looking for good alternatives on Android - Aegis and
| Authenticator Pro are both good opensource apps, available on
| F-Droid/Play and also allow easy backup to a cloud (or storage)
| of choice.
| amiga-workbench wrote:
| Thumbs up for Aegis, I've been using it for years and the
| backup & import/export has saved my ass several times now.
| exoji2e wrote:
| If you are concerned with lockout and want offline, interoperable
| backups of your 2auth codes I strongly recommend Raivo. It can't
| import from google authenticator directly, but it's possible to
| extract the secrets with some docker script, and then enter them
| manually into Raivo.
| ec109685 wrote:
| I've been using Authy because it supports syncing to the cloud
| (encrypted with a key that you control).
|
| Glad Google finally has this.
| manv1 wrote:
| Years ago I updated authenticator and it wiped out all my
| entries, which led to an incredibly aggravating week of account
| recovery.
|
| What happens to your data when google decides to lock your google
| account? Does your device keep a local copy or will it just shut
| down?
| heliophobicdude wrote:
| I recently had a broken phone replaced and had depended on a
| backup to have my TOTP keys on my new phone. It was not a part of
| the phone backup. :(
| svachalek wrote:
| Same. Someone needs to make all this both secure and usable.
| For now, I'll even take "this is going to ruin your day but at
| least there's a standard and consistent way to deal with this"
| as usable, maybe we don't want anything easier than that for
| security reasons.
| xyzzy_plugh wrote:
| Too little too late. Everyone I know has moved to 1password or
| authy or yubikeys (or some combination).
|
| I'll never understand why they didn't do this many years ago.
| ClassyJacket wrote:
| Yep, way too late to keep me on it. I don't trust them anymore.
| You cannot just burn your users over and over and expect them
| to stay forever.
| obarthelemy wrote:
| I'm not really in favor of putting 2FA codes in the Cloud, see
| that password manager that got hacked a few months ago. Granted,
| we can expect better from Google, but still, they're not
| accepting any liability.
|
| Google Authenticator already has a QR-Code based very easy export
| procedure, I just backup my GAuth to my spare phone and tablet.
| It feels safer because it's physical.
|
| Of course, not everyone has several devices, and physical
| security is not granted to everyone. I guess cloud-backedup 2FA
| is better than no 2FA, or than 2FA with no backup at all. But...
| Cloud ? for security stuff ?
| notfed wrote:
| I think rest assured your backups will be encrypted-by-
| password.
|
| Though, I often find myself wondering if this represents going
| in circles with security. If the security surface of all of
| your 2FA keys now reduce to one measly password, well, wait a
| second, does protecting everything with two passwords count as
| 2FA?
| obarthelemy wrote:
| "encrypted by password" doesn't mean much by itself: is the
| whole security chain open source ? audited by a third party ?
| as well as any changes ? Secured by the provider accepting
| responsibility for breaches and their consequences ? ...
|
| Employees down to subcontractor's trainees can modify the
| code or pwd store... FYI, the industry standard for "risk of
| corruption" is: 3 months of wages. In low-pay countries, this
| means, literally, pocket change. How sure are you that
| whatever Google does is impervious to such insider bad
| actors, even if at a specific time their setup was indeed
| secure ?
| ris wrote:
| This. For me a TOTP app/tool will only ever output codes. If it
| offers to let me do anything else with the key, it's a no-go.
| bombolo wrote:
| So what do you do when your phone falls down and breaks?
| obarthelemy wrote:
| I take my previous phone out of its drawer. Or my tablet.
| bombolo wrote:
| Very funny. But how do you login into things without the
| otp seed?
| obarthelemy wrote:
| It's standalone 2FA, not a paswword manager. There's no
| seed.
| leo150 wrote:
| It's interesting to see some movement in this area. Is Google
| finally feeling some competition? I was looking for this feature
| years ago and had to switch to Authy and then to 1P. I'm
| wondering how many users did GA loose for not adding this basic
| functionality for years.
| eastbound wrote:
| It would be awesome if Google were innovating again. That was a
| good company on the good days.
| ikiris wrote:
| So I'm curious what happened for them to do a complete 180 in
| belief as to the security implications of syncing tokens off the
| phone?
|
| Did the holdouts on the relevant team not make it through the
| layoff rounds or something?
| PenguinRevolver wrote:
| And it only took them 12 years to do it. Authy had already
| implemented syncing to different devices for a long while.
| psanford wrote:
| TOTP seed migrations are a real pain. Its good to see Google
| offering a solution to that problem.
|
| I've moved to using the pass otp extension[0] which gives me
| secure storage of the totp seeds without being tied to a single
| device.
|
| [0]: https://github.com/tadfisher/pass-otp
| RileyJames wrote:
| Tangential complaint on google account sign ins.
|
| If I remove an account from an app / device, I expect it to be
| gone. But they clearly shadow it.
|
| I have three google accounts (work, work and personal). And when
| I log into my personal account, which I have removed from the
| gmail app. It still uses that app as it's "2FA", and then
| reactivates the account.
|
| 1) if I remove the account, actually do it!!!
|
| 2) if I'm not logged into any apps, then use a 2FA method I DO
| have active (google auth app)
| sgloutnikov wrote:
| If you are on the Apple ecosystem, I highly recommend OTP Auth
| [0]. Very friendly UI with encrypted cloud backup where you
| control the key.
|
| [0] https://cooperrs.de/otpauth.html
| Kiro wrote:
| > To try the new Authenticator with Google Account
| synchronization, simply update the app and follow the prompts.
|
| Not seeing anything new on Android and it's fully updated.
| elif wrote:
| so... the new feature is you can turn your 2FA into a 1FA google
| login...
|
| if you think this is a good idea, i highly recommend you add a
| second 2FA device to the account you're worried about instead
| of... centralizing your "have" factor into a "know" factor.
| camhart wrote:
| Another request -- let me archive them (instead of only delete).
| xp84 wrote:
| True, or be able to keep them in folders. Imagine trying to
| manage your TOTPs if you, say, are a freelancer who does work
| for 25 different clients.
| divan wrote:
| Regular reminder for Apple users that iOS/MacOS has support for
| TOTP codes out of the box. It fills the code like an
| autocomplete.
|
| https://support.apple.com/en-gb/guide/iphone/ipha6173c19f/io...
| tough wrote:
| So are you telling me you can just use vanilla iOS to store
| TOTP like with Authy or Google's Authneticator or 1PAssword but
| directly into the apple keychain?
|
| That seems nice
|
| Honestly I think apple could do a better job at camera -> qr ux
| flow
| Eric_WVGG wrote:
| Yup. The catch is, it's kind of buried in System Settings.
|
| Cable Sasser wrote a blog post that was making the rounds a
| few weeks ago, advocating for a dedicated app. He's right,
| the existing Apple implementation works great but it's still
| a lot for normies.
|
| https://cabel.com/2023/03/27/apple-passwords-deserve-an-app/
| nashashmi wrote:
| It does do that. Point and aim camera at totp QR code and it
| will ask to which account you want to store it to.
| xp84 wrote:
| > camera -> qr ux flow
|
| You mean the idiotic little tiny yellow popup which only
| stays on the screen while the QR in view and must be tapped
| to activate... WTF were they thinking right? (You can add a
| "QR reader" button to your control center though which
| functions in a more sane way.)
|
| Anyway yes you _can_ do that, but I wouldn 't use iCloud
| keychain at all because your Apple account, including ICKC,
| can be fully hijacked using _one_ factor only - the passcode
| of the device an attacker has. People watch you unlocking in
| a bar, then grab your phone and run. Google "joanna stern
| iphone passcode" before moving any precious data into Apple's
| control.
| bobbylarrybobby wrote:
| Actually apple updated it so that when you lose sight of
| the QR code, the link gets moved to the bottom center of
| the screen, where it stays for a while. Why it's not
| _always_ positioned there, I don 't know. Having to chase a
| moving target on your screen is some real dumb design.
| divan wrote:
| Thanks for the Joanna Stern story, didn't know that.
|
| But if an attacker has your iPhone with passcode they
| surely get access to your Google Authenticator or Auth app.
| How "not storing TOTP keys in iCloud" way is better in this
| case?
| Eduard wrote:
| > Google "joanna stern iphone passcode"
|
| https://www.wsj.com/articles/apple-iphone-security-theft-
| pas...
|
| https://archive.is/tn9aq
|
| TL;DR: if someone spies out your iPhone's passcode, they
| may be able to hijack other accounts synchronized with it.
|
| In such situations, this simple passcode is like a master
| password, with with critical things such as PayPal and
| Apple Pay payments can be initiated to drain bank accounts.
|
| Two-factor authentication also doesn't help, as their
| challenges can be approved easily once the iPhone is
| unlocked with the passcode.
| nashashmi wrote:
| Lol. I remember the user who said to me "documentation or it
| doesn't exist".
|
| And so I looked it up. Became pretty popular on hn.
___________________________________________________________________
(page generated 2023-04-24 23:00 UTC)