

Google Authenticator is not iOS 7 compatible, will erase your tokens - benguild
https://code.google.com/p/google-authenticator/issues/detail?id=278

======
peterkelly
I'm not sure why this is on the front page.

iOS 7 is still in beta, and there's still quite a lot of bugs in it (hence...
beta). Google maps doesn't work either (it always reports a server connection
error for me).

I would assume that these are problems with iOS 7, not the apps in question,
since iOS should provide backwards compatibility. These bugs should be
reported to Apple (ideally by Google or authors of other specific apps, who
can narrow down exactly what's going on) so that Apple can fix whatever bug is
causing the incorrect behaviour.

A better title might have been "Current iOS 7 beta is not Google Authenticator
compatible"

------
flyt
DuoSec's iOS app replaced the never-updated Google Authenticator app for me
after they added support for third-party token generation. It even works with
QR-code scanning, just like the Google App.

The advantage here is obvious: it's an app that is a primary business concern
for a security-focused company. It's unlikely it'll go out of date as long as
Duo is around.

[https://blog.duosecurity.com/2012/11/announcing-two-
factor-a...](https://blog.duosecurity.com/2012/11/announcing-two-factor-
authenticaton-for-third-party-accounts/)

~~~
mseebach
Never mind that the Google Authenticator app does get updated, why would it be
suspect that it wasn't? Since when did it become a mark of quality that
something changes constantly?

It's sole purpose in life is to run a well-defined, never-changing calculation
and display a 6 digit number on the screen. Not changing is absolutely
preferred here.

~~~
kalleboo
It's not confidence-inspiring when an app you use is missing both retina
graphics and iPhone 5 support.

~~~
andreif
I have only used it on iPhone 5 without any problem, so I am not sure what you
mean here. I only use it for a few seconds to read the number and do not
really understand how retina graphics would help you.

~~~
flyt
Not updating an extremely simple app with Retina support (which they've had at
least three years to implement since the iPhone 4's release) would seem to
indicate that it's not under any active development.

~~~
mseebach
It doesn't _need_ to be under active development to perform its job
flawlessly.

------
37prime
Google Authenticator Version: 1.1.4.755, last updated: Jul 19, 2011. I’m
assuming that there are a lot of under the hood changes in iOS 7. It is up to
Google to update Google Authenticator so it would be compatible with iOS 7.
Then again, iOS 7 is still in beta.

------
harshreality
Google doesn't take updating their Authenticator app seriously, even the
android version.

But _why_ is it deleting the tokens? Can anyone who does iOS development
comment?

~~~
mkuhn
Regarding Android that is just not true. The last update is from July 18 [1]
and the App gets updated frequently and for me it has worked flawlessly.

A while back the Authenticator was not updated automatically but you were
asked to switch to a new App [2]. Maybe that happened to you.

[1]
[https://play.google.com/store/apps/details?id=com.google.and...](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en)
[2]
[https://play.google.com/store/apps/details?id=com.google.and...](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator&hl=en)

~~~
harshreality
App updates do not imply the app is being adequately maintained.

[https://code.google.com/p/google-
authenticator/issues/detail...](https://code.google.com/p/google-
authenticator/issues/detail?id=118)

If that's your idea of a maintained app, I think we have differing ideas of
what that means. Users with more totp tokens than will fit on one screen tend
to ditch google authenticator because of that issue.

------
Soliah
I've been using Authy[1] without any problems on iOS7. Great thing is that it
can also be used for other services that use OTP (AWS, Cloudflare, Facebook
etc).

[1] [https://www.authy.com/](https://www.authy.com/)

~~~
shinratdr
Count me as another vote for Authy. One more amazing feature: Your tokens
stick to your Authy account instead of your physical device. If you need to
restore your phone or delete the app, you don't need to disable two-factor on
all your accounts and then set it up again.

Just reinstall Authy, reauthorize with your Authy account, and you're done!
Helped me countless times, from when I had to rebuild my iOS install because
of a backup problem to when I got a replacement device due to a hardware
issue.

~~~
oakwhiz
Doesn't giving the device keys to a third party, while also authenticating
using a password with that third party, sort of defeat the whole purpose of
two-factor authentication?

~~~
acchow
Yes.

Unfortunately, their marketing is highly convincing. Most people (even most
engineers) won't realize the tradeoff here: Authy replaces "two factor
authorization" with "two password authorization". It should be clear which is
more secure.

The "two factors" with GA are a knowledge factor (something you know - your
password) and a possession factor (something you have - your phone number for
SMS or phone for GA app).

See also [https://en.wikipedia.org/wiki/Multi-
factor_authentication](https://en.wikipedia.org/wiki/Multi-
factor_authentication)

~~~
rdl
Ultimately all of the cellphone 2FA are at some level "two passwords". If the
machine on which you enroll initially is pwned at that time, the attacker sees
the seed. It's a little better with physical tokens (where you'd need to
compromise the token itself, or do MITM at setup time and persistently after).
I believe most of the good iOS TOTP apps use the "keybag" correctly so the
seeds don't leave the device when backed up, but it's not perfect. An x509
cert would fundamentally not be any different, and PK-based MFA (which Duo,
OneID, and I think some other companies do) isn't that different -- it just
requires the verifying application talk to the app directly vs. something you
can do as a human.

~~~
acchow
If you store the seed on your device.

For gmail, Google texts me an auth code; the seed (if there is one) is in
their data center. They could switch to seedless down the road since they own
both sides of the auth.

~~~
rdl
I've never trusted the SMS auth; too easy to play phone routing tricks, and
most high security environments don't allow phones or have coverage (of course
there's also the same problem for no-phones for a phone-based TOTP; the
solution is a physical token).

------
Watabou
FWIW, I use "HDE OTP" ([https://itunes.apple.com/us/app/hde-otp-
generator/id57124032...](https://itunes.apple.com/us/app/hde-otp-
generator/id571240327?mt=8)), which works pretty well for my google and
dropbox account. It works on iOS7 and it looks better.

------
hippee-lee
It's been working fine for me. First and second beta images that have been
pushed.

~~~
zuppy
The account labels are missing, which is a problem if you have multiple
accounts.

~~~
benguild
Yes, and if you try to edit them, it will wipe out the other tokens.

------
pearjuice
So how big is the leap between iOS 6 and 7 exactly in terms of app
compatibility? Did they do a major API overhaul and will we have to wait for
every developer to port its app but also maintain backwards compatibility?

