iOS 7 is still in beta, and there's still quite a lot of bugs in it (hence... beta). Google maps doesn't work either (it always reports a server connection error for me).
I would assume that these are problems with iOS 7, not the apps in question, since iOS should provide backwards compatibility. These bugs should be reported to Apple (ideally by Google or authors of other specific apps, who can narrow down exactly what's going on) so that Apple can fix whatever bug is causing the incorrect behaviour.
A better title might have been "Current iOS 7 beta is not Google Authenticator compatible"
DuoSec's iOS app replaced the never-updated Google Authenticator app for me after they added support for third-party token generation. It even works with QR-code scanning, just like the Google App.
The advantage here is obvious: it's an app that is a primary business concern for a security-focused company. It's unlikely it'll go out of date as long as Duo is around.
Never mind that the Google Authenticator app does get updated, why would it be suspect that it wasn't? Since when did it become a mark of quality that something changes constantly?
It's sole purpose in life is to run a well-defined, never-changing calculation and display a 6 digit number on the screen. Not changing is absolutely preferred here.
I have only used it on iPhone 5 without any problem, so I am not sure what you mean here. I only use it for a few seconds to read the number and do not really understand how retina graphics would help you.
Not updating an extremely simple app with Retina support (which they've had at least three years to implement since the iPhone 4's release) would seem to indicate that it's not under any active development.
And if a security bug did pop up, I'd sure rather bet on Duo, Authy, etc. fixing their app quickly than Google doing so, given that I don't think anyone is actually on the Authenticator team. I'm sure someone within Google would consider it a high priority to fix, but it wouldn't be as easy for them to quickly address something.
What kind of security bug? The only thing the program should need is a secure place to store the tokens - which I expect is provided by Android, no? - and to read the time from the system. It shouldn't be exposed to anything else.
Some theoretical bug. It happens, even in simple stuff.
More likely would be e.g. a platform finally getting a halfway decent way to store secrets (which iOS got with the 3GS and even better with iOS 5/6/7), and which Android as a whole still lacks (specific manufacturers are adding it, like Samsung, but it's not a standard due to Google being insane). I don't see a zombie client rapidly adopting those new storage technologies.
The Duo app is really nice. I was really happy to find out you could use it without their (fairly expensive) service; it's essentially a drop-in replacement for the Google Authenticator app. I've still been using both, though.
The thing I dislike most is when sites don't allow you to link your own OATH credential (i.e. a hardware token); I don't consider any of the cellphone apps or services to be as secure as the hardware token, and there are nice ways to use the hardware tokens for role accounts (locking the physical token in a safe, or leaving it in the custody of a third party without direct access to the account, like a CFO). The ideal implementation of OATH/2FA for a site allows users to specify their own, get the QR code, or get a text code.
Coinbase, for instance, only shows the QR code; I can't either use my own hardware token or back up the character string (which I feel I can do safely) to let me re-generate the token. I generally like having >1 device with my OATH credentials for any given account, particularly if the device is needed to change security settings later. It's awesome that they support 2FA, but doing better would be better.
Google Authenticator Version: 1.1.4.755, last updated: Jul 19, 2011. I’m assuming that there are a lot of under the hood changes in iOS 7. It is up to Google to update Google Authenticator so it would be compatible with iOS 7. Then again, iOS 7 is still in beta.
If that's your idea of a maintained app, I think we have differing ideas of what that means. Users with more totp tokens than will fit on one screen tend to ditch google authenticator because of that issue.
I've been using Authy[1] without any problems on iOS7. Great thing is that it can also be used for other services that use OTP (AWS, Cloudflare, Facebook etc).
Count me as another vote for Authy. One more amazing feature: Your tokens stick to your Authy account instead of your physical device. If you need to restore your phone or delete the app, you don't need to disable two-factor on all your accounts and then set it up again.
Just reinstall Authy, reauthorize with your Authy account, and you're done! Helped me countless times, from when I had to rebuild my iOS install because of a backup problem to when I got a replacement device due to a hardware issue.
Doesn't giving the device keys to a third party, while also authenticating using a password with that third party, sort of defeat the whole purpose of two-factor authentication?
Unfortunately, their marketing is highly convincing. Most people (even most engineers) won't realize the tradeoff here: Authy replaces "two factor authorization" with "two password authorization". It should be clear which is more secure.
The "two factors" with GA are a knowledge factor (something you know - your password) and a possession factor (something you have - your phone number for SMS or phone for GA app).
Ultimately all of the cellphone 2FA are at some level "two passwords". If the machine on which you enroll initially is pwned at that time, the attacker sees the seed. It's a little better with physical tokens (where you'd need to compromise the token itself, or do MITM at setup time and persistently after). I believe most of the good iOS TOTP apps use the "keybag" correctly so the seeds don't leave the device when backed up, but it's not perfect. An x509 cert would fundamentally not be any different, and PK-based MFA (which Duo, OneID, and I think some other companies do) isn't that different -- it just requires the verifying application talk to the app directly vs. something you can do as a human.
For gmail, Google texts me an auth code; the seed (if there is one) is in their data center. They could switch to seedless down the road since they own both sides of the auth.
I've never trusted the SMS auth; too easy to play phone routing tricks, and most high security environments don't allow phones or have coverage (of course there's also the same problem for no-phones for a phone-based TOTP; the solution is a physical token).
Although using Authy's backup service is optional and the app works just fine with local-only storage and no Authy account, which is how I have it set up.
It works until it breaks, just FYI. I would switch to another App.
I had been using it until tonight but after touching the add button, I rebooted my device and found that several tokens were missing. Upon rebooting the App again, they were all gone.
So how big is the leap between iOS 6 and 7 exactly in terms of app compatibility? Did they do a major API overhaul and will we have to wait for every developer to port its app but also maintain backwards compatibility?
iOS 7 is still in beta, and there's still quite a lot of bugs in it (hence... beta). Google maps doesn't work either (it always reports a server connection error for me).
I would assume that these are problems with iOS 7, not the apps in question, since iOS should provide backwards compatibility. These bugs should be reported to Apple (ideally by Google or authors of other specific apps, who can narrow down exactly what's going on) so that Apple can fix whatever bug is causing the incorrect behaviour.
A better title might have been "Current iOS 7 beta is not Google Authenticator compatible"