
Downsides of Google Authenticator - LinuxBender
https://www.zdnet.com/article/using-google-authenticator-heres-why-you-should-get-rid-of-it/
======
lima
Strongly disagree with the premise of this article:

\- Passcode or biometric locks on an app are a gimmick and offer negligible
value.

\- The keys not being backed up or or synchronised across devices is not a
bug, but a feature. You're supposed to keep offline backup keys. Any sort of
synchronization feature adds a ton of attack surface.

\- In particular, Authy, LastPass and 1password have a giant attack surface
compared to a simple app like Google Authenticator. They also rely on
centralized services and if you also keep your passwords in there, you
eliminate the whole point of two factor authentication.

\- One important risk with authentication apps is compromised updates, and
Google Authenticator has a very low risk of this since it's backed by Google's
strict security processes.

What you should actually do is to move to U2F/WebAuthn and pester any of your
service providers that do not offer it. Yes, if you need to replace a token,
you'll have to go through all accounts and change it. There's is absolutely no
way to prevent this without compromising on security.

~~~
dnr
I've used Google Authenticator for a long time, but the lack of backups is a
really serious downside. What I would really like is encrypted backups using a
strong passphrase that I can write down on paper (like Authy), but from a
trusted source like Google, and with no other features to widen the attack
surface (no internet access, no SMS).

Without backups, having a phone die or get lost is a very frustrating
experience. If you use backup codes, you have to go re-register 2FA on every
account with backup codes. And of course some don't offer backup codes.

You could screenshot and print out the QR code at registration time (I've done
this for a few accounts), but shared printers apparently retain history of
everything they've printed, so you'd need to own a personal printer, which
seems absurd.

You could write down the TOTP secret on paper instead. Ideally with multiple
copies and then move them to different physical locations. That's a big hassle
to do for each new account registration, which seems to happen every few
months.

Encrypted backups solve this easily: you get one key, which you write down
once and distribute to different locations if you want. After that there's
nothing new to do for new accounts at registration time. And restoring onto a
new phone after one dies is also easy.

~~~
ryall
Totally agree, I had my phone stolen a few years back. Had to buy a new one.
What a surprise when I restored Google Authenticator and all my sites were
gone.

However I do have an issue with 1password's feature of auto-filling those
codes, seems like it's just invalidated the whole "something you have" party
of MFA.

For me Authy is a happy medium

~~~
ThePowerOfFuet
Google Authenticator is backed up on iOS if you use an encrypted local backup
via iTunes (or macOS Catalina) or iMazing.

~~~
pmoleri
Mmm, does that mean that now your iCloud password unlocks all your 2FAs?

It isn't that bad, it still a 2nd factor, but it's worth considering it.

~~~
nojvek
When you make an encrypted backup, you enter a separate passcode. So it’s not
your iCloud password.

------
danShumway
Last time I checked, by default, Authy codes were susceptible to SIM-swap
attacks.[0] This is a bad article.

You should perhaps consider switching off of Authenticator to an Open Source
manager like AndOTP; I think that's something reasonable to propose. But I
don't understand the argument that I should be very concerned a lack of
biometric locks, but not concerned about invalidating the "something you
_have_ " part of 2FA.

I don't think it's horrible if someone uses an app like Authy. It's better
than nothing. But this article didn't need to exist -- if you use
Authenticator, just keep using it, it's fine.

[0]:
[https://nitter.42l.fr/DanielShumway/status/10920819670074982...](https://nitter.42l.fr/DanielShumway/status/1092081967007498242#m)

~~~
latchkey
Authy only has SIM issues if you give it your phone number. Don't do that.

~~~
danShumway
The linked article is recommending Authy over Authenticator because backing up
codes on multiple devices is too hard. If you're going to disable remote
backup on Authy, then there's almost no advantage to switching away from
Authenticator in the first place. Authy also doesn't allow local export of
tokens, so there's no advantage there. I guess with Authenticator you lose the
ability to lock your local tokens with a 4-digit pin, but who cares? 4-digit
pins are not secure.

I just checked on an old installation of Authy, and as far as I can tell there
is no way to remove a phone number from the app itself, only change it. Maybe
when you're installing you can skip that step. You can turn off remote backup
entirely, but see above.

If you use Authy, fine. It's still better than nothing. Really, getting people
to use 2FA at all is the important battle, and the fight over which 2FA app is
best is probably a waste of time. But Zdnet should not have written an article
recommending people switch away from Authenticator to Authy when Authy's
_primary selling point_ is actually an attack vector that its own support
website recommends disabling[0].

More to the point, the setting makes me trust Authy less in other security
areas, because it's an attack vector that they easily could have plugged years
ago -- and it makes me think they haven't actually thought that much about
security. It's just bad UX to ask users for an encryption password when a
single setting will non-transparently bypass that password requirement for
some tokens.

[0]: [https://support.authy.com/hc/en-
us/articles/360012427914-Is-...](https://support.authy.com/hc/en-
us/articles/360012427914-Is-the-Authy-App-Susceptible-to-a-SIM-Swap-)

~~~
latchkey
You're right... I take back my comment. For some reason I thought that I had
removed the number from Authy. I definitely have multiple devices turned off,
which is definitely a confusing bit of UX.

I had a long thread with @philnash (Twillio which owns Authy) not too long
ago... this is his reasoning...

[https://news.ycombinator.com/item?id=22022814](https://news.ycombinator.com/item?id=22022814)

While I do not agree with him about having SMS enabled at all, I can listen to
his reasoning.

I also agree with you... Authy has been treated a bit like a bastard child
once it went to Twillio... the updates are few and far between. The UX isn't
great and hasn't improved.

Seems like a good opportunity to build something better.

------
Spivak
Bitwarden is a pretty good solution for this! It's not the smoothest since the
browser extensions don't know how to fill in your codes like they do your
password but it's leaps and bounds above the UX for Google Authenticator.

Being able to access my codes from any device with a web browser is very nice.

INB4:

"But this reduces your security."

* Yes, but I'm already using a password manager with 64 char generated passwords on every site.

* If you're able to compromise my Bitwarden password you likely have enough to remove the 2FA on all of my accounts anyway.

"Why even have 2FA at that point then?"

* Because some things in my life require it.

~~~
lain
I've found the Bitwarden browser extension has an option to automatically copy
the 6 digit code after the username+password autofill. Can't remember if it
does it by default though. See:

Settings / Options / Disable Automatic TOTP Copy

------
anonsivalley652
Since FreeOTP (iOS and Android) is open-source and free, it seems trivial to
add an export/import feature that can store/load from an password-protected
(argon2), encrypted (AES) file.

[https://freeotp.github.io](https://freeotp.github.io)

[https://github.com/freeotp/freeotp-ios](https://github.com/freeotp/freeotp-
ios)

[https://github.com/freeotp/freeotp-
android](https://github.com/freeotp/freeotp-android)

This isn't suitable because it doesn't allow saving it as a file:

[https://github.com/freeotp/freeotp-
ios/pull/129](https://github.com/freeotp/freeotp-ios/pull/129)

------
ocdtrekkie
> Is it risky "centralizing" this data? Sure, but I don't see it any more
> risky as using a cloud-based password manager.

Using a cloud-based password manager is a _huge_ risk though. And if you've
put both your passwords and your 2FA generators in the cloud, you now have
single-factor authentication.

~~~
TallGuyShort
>> you now have single-factor authentication

In many cases that factor is now Google's security vs. the same reused
password that is your hobby + the year you graduated high school. It this is
what makes it convenient enough to always use, it's probably still a step up.
It's at least a better, slightly more distributed factor. And even then
they're distinct systems, possibly not even within the same cloud.

------
ValentineC
I stopped using Google Authenticator in 2013 when my tokens disappeared after
a software update [1]. They were restored in the next update, but I didn't
like not having access to the raw TOTP data.

I switched to Authy after the incident, and now use 1Password after I
discovered their TOTP feature.

[1]
[https://news.ycombinator.com/item?id=6325760](https://news.ycombinator.com/item?id=6325760)

~~~
the_svd_doctor
Isn’t that putting all eggs in the same basket?

~~~
plttn
Yes and no.

Yes, it puts 1Password as the only point of failure iff 1Password security is
compromised. This would require knowing my Master Password, my Secret Key, and
2FA with either my OTP from Google Authenticator or a Yubikey to open the
vault on a new device, or knowing my master password on a device that I
already have 1Password set up on.

On the flip side however, for anyone who _doesn't_ know I use 1Password
(oops), any credential stuffing attack or password leak is not likely to get
anywhere, as they're not going to be attacking my 1Password vault.

------
spyridonas
I use Microsoft Authenticator and it has cloud backups. Maybe it's unsafe,
they promise it's super safe.

[https://docs.microsoft.com/el-gr/azure/active-
directory/user...](https://docs.microsoft.com/el-gr/azure/active-
directory/user-help/user-help-auth-app-backup-recovery)

~~~
partiallypro
I think you can turn off cloud back-ups if you want. That's what I use as
well. Also -some- cloud backups don't work on it, if the tenant doesn't allow
it. My Azure tenant does not, so you have to reset everything up if you get a
new phone. It was a painful experience, since me and the main tenant holder
both got new phones at the same time. Had to contact Microsoft directly.

------
jabroni_salad
Since we're apparently all sharing our 2fa methods I've really been liking the
yubico authenticator. All the secrets are on the yubikey itself so if
something dumb happens to my phone or computer I don't have to worry about
them.

Plus, the same device does my FIDO2 / u2f / whatever it is this month for the
services that support it.

~~~
edm0nd
U2F + Googles Advanced Protection Program = secure AF

[https://landing.google.com/advancedprotection/](https://landing.google.com/advancedprotection/)

------
terlisimo
I've settled on Aegis.

It is open source and allows you to export secrets to an encrypted file which
you can copy around.

A bit more tedious than Authy and similar cloud sync solutions but lower
attack surface and less tedious to back up than Google Authenticator.

Available on F-droid. Beware of Aegis knock-offs on Google Play Store that use
similar name.

------
lisper
I stopped using Authy because it has auto-update that you cannot disable. One
day it auto-updated itself to a version that would not run on my OS. Also,
it's an electron app, so it is absurdly heavyweight for the tiny bit of
functionality it provides.

I ended up writing my own TOTP app. It's about 50 lines of common lisp code.

~~~
latchkey
Authy Desktop

    
    
      Memory / Real / Shared
    
      71.3 MB 116.8 MB 96.3 MB

~~~
lisper

      > du -sh Authy\ Desktop.app/
      142M Authy Desktop.app/
      
      > du -sh Clozure\ CL.app/
      35M Clozure CL.app/

~~~
latchkey
disk space is cheap, ram is expensive.

~~~
lisper

      > ps ax -o %mem,comm | grep dx86cl64
       0.4 /Users/ron/devel/ccl/v1.11/Clozure CL64.app/Contents/MacOS/dx86cl64
      
      > ps ax -o %mem,comm | grep Authy
       0.7 /Applications/Authy Desktop.app/Contents/MacOS/Authy Desktop
       0.2 /Applications/Authy Desktop.app/Contents/Frameworks/Authy Desktop Helper.app/Contents/MacOS/Authy Desktop Helper
       1.1 /Applications/Authy Desktop.app/Contents/Frameworks/Authy Desktop Helper.app/Contents/MacOS/Authy Desktop Helper
    

No matter how you slice it, Authy is just an outrageous resource hog.

------
gravitas
For those who have not seen the previous HN threads this past year on 2FA,
Aegis has emerged on Android which a number of folks (myself included) have
migrated to using:
[https://github.com/beemdevelopment/Aegis](https://github.com/beemdevelopment/Aegis)
(links to G-Play/F-Droid in readme) A backup (encrypted or plain) of your
seeds can be exported/imported.

~~~
xtracto
This is amazing! Thank you very much, I will set it up along Google Auth in my
phone and add it to my home "backup phone".

One thing that had bothered of Google Auth for a long time is the fear of
losing my phone and having to go hunting down all the authentication
information. And never considered Authy because using an "online service" for
these kind of things just seems wrong to me.

------
txcwpalpha
This thread is a perfect example of why security is hard. Even if you give
users the tools to improve their security (2FA apps), and even if you enforce
they they use those apps, users will always find a way to create a loophole
that completely negates the security enhancement you implemented.

If you’re putting all of your OTP codes in your password manager, that
_completely negates_ the entire point of _two factor_ authentication.

And sure, maybe you think “well I’m not a high value target anyway, I don’t
need to really secure my devices”, how many of you have work-related accounts
signed into your devices? Even if you’re just a lowly engineer, I can
guarantee you absolutely are a target of sophisticated hacker groups
(ironically you may even be _more_ of a target because these groups know that
you don’t consider yourself a target and therefor are more lax with your
security).

~~~
v01dlight
It's bad practice sure, but to say that it "completely negates the entire
point of two factor authentication" is ignoring the main attack password
managers are good at defending against: credential stuffing.

Example: If LinkedIn leaks my password, attackers can't use it to gain access
to my Gmail because (thanks to the help of a password manager) I use different
passwords for all sites. They also can't use it to gain access to LinkedIn
because I have 2FA turned on. Even if my OTPs are saved in my password
manager, they would need my master password for that.

And if they have someone's master password, they're probably screwed whether
or not they have OTPs in their vault because they likely have credit card
numbers, addresses, social security numbers, etc in there too.

------
parasense
I'm not sure the author on zdnet understand the security implications for
"Device surfing". That is conceptually convenient, but really a terrible idea!
A new token should be generated for each separate device, but not all token
providers support multiple floating tokens.

It's always a battle of convinience versus security, and I get it... people
think that because some services have lowered security to allow device
surfing, yet without knowing the implications, that it's then just some kind
of abstract non-issue taken care of by magical security things not understood.
In other words it takes a big leap of faith, that was improper.

------
yellowapple
"Still using Google Authenticator? Let me recommend a replacement with a
significantly larger attack surface."

I don't know what the current situation is for iOS, but on Android I've been
using andOTP and it addresses pretty much all of the author's pain points
(except for automated syncing between devices and the need to install it per-
device, but you really should keep the number of TOTP-generating devices to a
minimum; more devices = more opportunities for someone to steal that second
factor of authentication).

------
burnte
Authy. Fantastic replacement app. makes backing everything up a snap. I can
log into Authy on one device by allowing on another, etc.

------
kuzimoto
Surprised is hasn't been mentioned, but KeePass has the ability to generate
the TOTP codes as well. Database is stored encrypted and on your device. Use
SyncThing and sync your database across multiple devices securely.

Lots of cross-platform apps to use.

------
dang
Related current thread:
[https://news.ycombinator.com/item?id=22432828](https://news.ycombinator.com/item?id=22432828)

------
ncmncm
I like Somu hardware key now. It is so small--fits inside USB slot--I keep it
in an extender whem it's not in use.

And, not subject to attacks that work with passcode systems.

------
sschueller
Use an alternative like andOTP or Authenticator Plus which allow you to backup
your keys.

~~~
prophesi
+1 to andOTP. It's on F-Droid and still gets semi-regular updates. It's a bit
obnoxious that it requires a password, but that just means an autofill from my
password manager for free at-rest encrypted storage.

~~~
pyt
I believe if you use the Android Keystore, you can use it without a password
and just authenticate with a fingerprint when it starts up.

------
netsharc
My Google Authenticator data survived me migrating to a different phone
because my flow is:

1\. Backup old phone using Titanium Backup.

2\. Get new Android phone.

3\. Root it.

4\. Copy TB backup files from old phone to new.

5\. Restore apps and data on new phone using Titanium Backup.

Obviously it's not a procedure a normal user is expected to do...

~~~
cryptozeus
In Iphone I just do backup and restore in itunes. Everything is migrated. I
dont see why you need to do all these.

~~~
tinus_hn
Keys that specify they can’t be backed up are not migrated, they are not
included in the backup.

------
braindead_in
I use a Chrome extension instead. Works like charm.

------
RileyJames
Just last night I was setting up “2FA” for my girls gmail account. It has so
clearly become surveillance it’s disgusting. The only options are google
consumer apps (or the physical key). The opportunity to link a mobile device
to a desktop for advertising purposes was too great.

I have little trust that google authenticator app is any different. But as far
I can see you can’t use any of these alternatives from the article.

