
Warning: Google Authenticator upgrade loses all accounts - calvin
I upgraded Google Authenticator to the latest version this evening on my iPhone.  It lost all my accounts.<p>DO NOT UPGRADE Google Authenticator or you&#x27;ll have a really bad day.<p>People on Twitter are starting to complain:
https:&#x2F;&#x2F;twitter.com&#x2F;search?q=google%20authenticator&amp;src=typd
======
gmac
Too late for me, but a pleasingly fast and pro-active response from AWS (which
rather shows Google up) just received by email:

"If you are an AWS customer who uses Google Authenticator for iOS as a multi-
factor authentication device to secure your AWS account via AWS MFA
([http://aws.amazon.com/mfa/](http://aws.amazon.com/mfa/)), please read on. We
are writing to inform you that Google has recently released an update to the
Google Authenticator App in the iOS Store. We've received reports indicating
this update is inadvertently deleting all MFA tokens from the smartphone; this
could prevent you from authenticating to your AWS account.

At this point, it is our recommendation that you do not update your Google
Authenticator App if you're using an iOS Device. If you have already updated
your Google Authenticator app and are no longer able to login successfully you
can request assistance from our AWS Customer Service team at:

[https://portal.aws.amazon.com/gp/aws/html-forms-
controller/c...](https://portal.aws.amazon.com/gp/aws/html-forms-
controller/contactus/aws-token-support)

We have posted this as an announcement to our AWS Developer Forums at
[https://forums.aws.amazon.com/ann.jspa?annID=2091](https://forums.aws.amazon.com/ann.jspa?annID=2091)
and will be posting updates if new information becomes available."

~~~
jobu
And no word yet from Google... Their lack of customer service is going to end
up killing them in a number of markets. I would never use Google for any
critical business function (email, payments, cloud computing).

~~~
madaxe
They'll join this thread in a while and call us all novices for not
understanding that this is deliberate, well tested, and our fault.

[https://news.ycombinator.com/item?id=6166886](https://news.ycombinator.com/item?id=6166886)

~~~
CamperBob2
I don't think the people arguing with Justin in that thread are novices or
naive users, but they do seem to be unaware that when you lend your computer
to someone, you should set them up with their own user account if you don't
want them surfing through your stuff.

It's funny how the tech community browbeat Microsoft for years about how
Windows should have been designed as a multiuser system like Unix, and then
when Microsoft finally took their advice and made the necessary user-level
security improvements, their efforts were ignored.

~~~
madaxe
Afraid you've missed the point in the same way as Justin did... Those people
(me included) are perfectly aware of that. The argument is that your mother
isn't, and while it's reasonable to expect her to be, you can't just assume
such.

~~~
CamperBob2
If so many people are missing the point, then maybe, just maybe, there isn't
one to miss.

~~~
madaxe
The majority are always right, for a subjective and wide definition of right.

------
guiambros
Authy (YC W12, [1]) is a nice replacement for the GA app. Besides being more
stable, it has also the "benefit" of allowing you to back up your keys, and
recover in the case of a lost phone or deleted app.

Thankfully, backing up is entirely optional, and turned off by default. While
they claim backups are encrypted with PBKDF2 [3], I still would never ever use
something that sends my tokens to a remote server, as it'd defeat the purpose
of 2FA in the first place.

Still, I can see the use for casual users that care enough to have 2FA, but
not _that_ much to worry about tokens being stolen and decrypted from Authy..

Past discussions on HN here [2], [3], [4].

[1] [https://www.authy.com/thefuture](https://www.authy.com/thefuture) [2]
[https://news.ycombinator.com/item?id=6133648](https://news.ycombinator.com/item?id=6133648)
[3]
[https://news.ycombinator.com/item?id=4916983](https://news.ycombinator.com/item?id=4916983)
[4]
[https://news.ycombinator.com/item?id=4330050](https://news.ycombinator.com/item?id=4330050)

~~~
chmars
Authy wants to 'make data available to nearby bluetooth devices' and – even if
you don't allow for it – asks for Bluetooth to be turned on. What's the reason
for this requests?

I'd appreciate an application directly in the app. In doubt, I simply deny
such requests.

Screenshots:

[http://i.imgur.com/jTC5msY.png](http://i.imgur.com/jTC5msY.png)
[http://i.imgur.com/seytfhy.png](http://i.imgur.com/seytfhy.png)

~~~
henryaj
Authy has a desktop client that can request tokens from your phone via
Bluetooth, so you don't need to generate a token and type it in manually.

[https://www.authy.com/thefuture](https://www.authy.com/thefuture)

~~~
raverbashing
Good, so when the user requests a bluetooth connection you ask for permission
or tell the user to turn bluetooth on

Don't ask the user to approve something he: doesn't know what you want to do
with it and the thing screams "don't do it" at the particular situation

------
cheald
Aside from the screwup here, this is a good chance to check backup mechanisms
for your various 2FA accounts. If your phone is broken or stolen, do you have
a recovery plan?

I keep backup codes for each of my 2FA services in a Truecrypt container,
which is mirrored on Dropbox. Additionally, I keep a copy printed out and kept
in a fire safe. Phone backups for personal accounts have my wife's phone on
record, and I try to keep printed copies of the QR codes I used to set up the
account.

About a year ago, my phone was shattered while on the road, and while I was
able to regain access to those accounts due to existing login sessions on my
home computer, I'd have been sunk without them. Make sure you have a plan for
what you do if your phone authenticator becomes unavailable.

------
nl
A while ago the Android version was replaced by a new app (instead of just an
upgrade), allegedly because the team _LOST THE SIGNING KEY FOR THE ORIGINAL
APP_ [1].

If there is one team you'd expect not to lose a signing key I would have
thought it would be that one!

Everyone makes mistakes, but it's pretty scary to hear this happening too.

[1] [http://www.androidpolice.com/2012/03/22/psa-googles-
authenti...](http://www.androidpolice.com/2012/03/22/psa-googles-
authenticator-updated-to-v2-except-its-a-brand-new-app-and-you-need-to-
install-it-to-get-future-updates-old-one-is-dead/)

~~~
bound008
The other option is if you are a developer and want ultimate control the app
is open source. For maximum convenience aught.

------
orand
If they had released this two weeks later, iOS 7's auto-update feature would
have bricked everyone's accounts.

Google Auth 2.0 redefines two-factor auth: something you know + something you
DON'T have. Their entire purpose in life is this second part and they
completely and absolutely botched it. I can't believe this passed testing at
both Google and Apple. There wasn't even a warning in the release notes.

~~~
derefr
I think Google's thinking on this is that 2FA tokens are definitely "one of
those things you don't want stored in an subpoenable manner by your Cloud
provider." If your 2FA token is synced to iCloud, for example, then it's no
longer something you _have_ \--it's something else you _know_ (your iCloud
username+password.)

"Something you Have"-type tokens provide security basically because they're
immune to rubber-hose cryptanalysis: if you really just don't have the key to
a safe, nothing an attacker does can make you give it to them. As such, tokens
are _also_ the factor that protect you from contempt-of-court charges if
you're compelled to provide it. (Though they _can_ then ask you "who _does_
have a key?"; if this is an accomplice, it's best if they live in a separate
country, and hopefully one which doesn't like the US very much.)

~~~
sk5t
I don't think this argument makes any sense with regard to TOTP, as Google (or
Dropbox, Twitter, etc.) most certainly knows the seed/secret for your account
at their service and could be forced to divulge it via court order. Or they
could simply cough up the plaintext data sans faffing about with 2FA at all.
2FA of this sort only makes it harder for an attacker to get in.

Defense against rubber hose cryptanalysis comes into play where the key only
exists in one place, such as the asymmetric private key on hardware security
module, or perhaps a symmetric key stored on a physically-unavailable USB key.
But 2FA like TOTP does not imply encryption, even though it relies on some
cryptographic primitives.

~~~
derefr
Keep in mind that Google Authenticator stores _arbitrary third-party_
credentials, though. Subpoena Google and you could get Google's TOTP token for
you, along with the rest of your account, sure. Sync Google Authenticator to
Google, and suddenly they don't have to subpoena anyone else--just use their
Gmail account to reset all their passwords for every other service, and use
their TOTP tokens to sign into them. This basically removes the "Principle of
Least Privilege" way that subpoenas work.

------
clarkm
For those looking for Google Authenticator alternatives, I recommend either
Duo Mobile from Duo Security or Authy. I ditched Google Authenticator a while
ago and haven't missed it one bit -- having a single app manage my two-factor
tokens / keys is much more convenient.

~~~
nwh
Edited: Authy requires a mobile number and a remote server to store your
tokens though.

~~~
elithrar
> Both require your mobile number and for a remote service to store all of
> your tokens though..

Duo does not, for the record. Download and go.

~~~
nwh
I seem to have recalled that one wrong then, or they've changed their service
since I last saw it.

------
mahyarm
This is why you keep backups of your TOTP authenticator keys. I was really put
off by 2 factor until I figured a way to do a backup. Authenticator URLS look
like this:

otpauth://totp/KeyNameHere?secret=SECRECTKEYSTRINGHERE

You can save it in some passworded zip archive somewhere or print it out. If
you print them I suggest printing them with QR codes to aid in recovery speed.
You can easily generate QR codes by putting the text URLs into a QR code
generator. If you just have a QR code, use a general QR code scanning app to
extract the string.

Also the new google authenticator version has a %100 repo crash bug when you
scan two QR codes in a row on iOS 7 phones.

------
imkevinxu
Quick solution for Google 2-step auth (do it QUICK so you don't lose access to
your Gmail)

1) Go to this page
[https://accounts.google.com/b/0/SmsAuthSettings](https://accounts.google.com/b/0/SmsAuthSettings)

2) Click "Move to a different phone"

3) Re-setup your Google Authenticator

Note: the 10 printed one-time access codes and all the application-specific
passwords will still work after this "reset". But you still need to reset your
other accounts that use the Google Authenticator

------
bdcravens
I use Google Authenticator on the 2 AWS accounts I manage. Fortunately, at
least on the first, the master account didn't have 2FA on it, so took about 60
seconds to reset it. (remove device, then readd) However, most wouldn't have
the master account (the entire purpose of IAM).

I suspect that Google may have an update that restores accounts. I know when
I've restored my phone, losing all apps, when I reinstalled an app months
later, the settings were still there. Obviously the settings are stored in a
file somewhere, so my hope is that this is how Authenticator works, and this
buggy release just failed to properly open that file. Of course, not everyone
can wait and have to reset like I did.

------
noveltyaccount
When I add sites to Authenticator, I take a screenshot of the QR code and tuck
it away in an encrypted document (OneNote for the record, which uses uses AES
to encrypt).

~~~
skeletonjelly
Have you tested this? Are the barcodes not time pertinent?

~~~
markbao
(I've studied two-factor authentication using HOTP and TOTP, and built a
node.js implementation of it.)

The QR codes simply divulge a URI with the secret key for generating tokens.
They look like:

    
    
      otpauth://totp/[keyname]?secret=[secretkey]
    

The secret key is used in the app in conjunction with a moving factor (usually
30-second intervals of time) to generate a numerical hash of sorts for that
interval of time, which is then truncated to 6 characters.

The QR code itself doesn't have any sort of time limit on them; they only
serve to transmit the secret key.

~~~
skeletonjelly
Would this mean that these two values are stored locally? Could they be
extracted from the GA app?

~~~
markbao
Technically, yes. The name of the key is set by default as the account name in
the app. I haven't looked into how the secret is stored in the Google
Authenticator app—hopefully it's stored securely or with some level of
obfuscation, but the app definitely needs to be able to retrieve the secret
key somehow to do the token calculation.

One thing to note is that neither Google Authenticator nor Duo Security let
you display the secret itself in the app. Another thing to note is that Google
Authenticator keys seem to be backed up if you back up your iPhone to a
computer using iTunes (mine were still there after a restore).

~~~
ydant
If you've disabled the built in protections on Android for the /data/data/
folder (such as "root"ing it), getting the keys out is as simple as:

$ su

# sqlite3
/data/data/com.google.android.apps.authenticator2/databases/databases 'select
email, secret from accounts'

------
chime
Every time I upgraded to a new iOS 7 beta, it wiped my Google Authenticator
account tokens. It wasn't a big deal with Google or Dropbox because both allow
me to move. But I can't log in to my CampBX account anymore. I tried Authy
today after another comment here on HN and it's been working so far.

------
veidr
What does it mean that it 'loses all accounts'?

I use two factor auth but not this app, so I am not sure why people are going
to have such a bad day...

~~~
gmac
You get greeted by a "let's begin" screen, and all your accounts/credentials
have magically gone away. This happened to me 5 minutes ago.

Edit: tweet with picture:
[https://twitter.com/jawj/status/375144792126410752](https://twitter.com/jawj/status/375144792126410752)

~~~
natch
So your account has not gone away, nor has it been deleted, nor has any magic
happened; your account is still there safe and sound on Google's servers, it's
just that the settings in this one mobile app have been wiped, correct?

~~~
kevingadd
Without the settings in your authenticator you're locked out of accounts that
require a 2-factor token from it, unless you've got backup tokens printed out.

------
bound008
This was a perfectly functional app except that it didn't look like google+. I
would recommend switching to authy (YC) bc their Bluetooth 4.0 LE
implementation is awesome:
[https://www.authy.com/thefuture#pairing](https://www.authy.com/thefuture#pairing)

------
devx
This is the sort of "nightmare scenario" I'm afraid of, and why I'm still not
using 2FA. I'd rather risk having only a weaker password, than risking losing
my accounts for good. You can't get back into your accounts if something like
this happens, right?

~~~
lalc
To get back into your account you're provided backup codes that you're
supposed to store somewhere safe. Otherwise, if your phone were stolen you'd
be out of luck, yes.

~~~
arjie
I was about to respond "Haha, no big deal, I use my Google Voice number". The
flaw in this was readily apparent.

------
ibejoeb
To disable auto-update on recent Android:

Play Store -> Search "Authenticator" -> Select "Google Authenticator" -> Press
"Menu" -> Deselect "Auto-update"

~~~
jordanthoms
I don't think this is happening on Android, seems to be an issue with an iOS
update.

~~~
jared314
I think this is a good reminder to use the auto-update feature wisely, on all
platforms.

------
acheron
I saw Google Authenticator had an update this morning and thought "haha,
wouldn't it be awful if it deleted the accounts when I updated!" Well, I guess
I'm the goat [1].

I was still signed into Google so that was easy enough to generate a new key,
but I believe I'm going to have to use my backup number to get into Dropbox.

[1]
[http://en.wikipedia.org/wiki/Duck!_Rabbit,_Duck%21](http://en.wikipedia.org/wiki/Duck!_Rabbit,_Duck%21)

------
robin_reala
The broken update has now been pulled.

------
markwakeford
Use HDE OTP, its a better looking app anyway.

------
DigitalSea
Do Google even test the stuff they put out? This is a pretty severe mistake to
make for a company as big as Google. Do they not have teams dedicated to
testing this stuff? The small design studio I work at does a better job QA'ing
their websites than Google does QA'ing major product upgrades... Disgraceful.

~~~
swalkergibson
Don't be ridiculous. Of course they QA their projects. Shit happens. This
issue is of a serious enough nature affecting enough people that there will
almost certainly be a proper route back.

------
castis
Man, someone is going to have a really really bad day tomorrow.

~~~
markbao
Someone should be having a really bad day right now. The app needs to be
pulled from the App Store immediately.

------
calvin
If you offer two-factor authentication for your website, be prepared for a
surge in support requests today. When I talked to one of my providers on the
phone, they stated they are already getting a surge in calls because of this
app update.

------
drewschrauf
I used my Pebble watch for TFA. You have to compile the app yourself but it's
pretty easy. [https://github.com/aaronpk/pebble-
authenticator](https://github.com/aaronpk/pebble-authenticator)

------
michaelrbock
Don't upgrade! I just had this unpleasant experience and warned everyone about
15 minutes ago:
[https://news.ycombinator.com/item?id=6325745](https://news.ycombinator.com/item?id=6325745)

------
gfodor
I'm not seeing the update in the App Store, nor the app itself. Must be
pulled.

------
thrownawaaay
What an absolutely awesome time for iTunes Connect to be down for maintenance.

~~~
CamperBob2
Almost as if Apple is twisting the knife.

------
dknecht
The Authy app is great and supports Google, Dropbox, CloudFlare, Amazon…

------
MiguelHudnandez
Shit. I am running the iOS 7 beta with automatic app updates, and I already
have the new app.

I am considering wiping my phone and restoring it from a previous backup with
the old copy of the app.

Edit: I was still logged in from my browser, and was able to activate the new
version without entering a code from the deceased version of the app.

From this, it seems theft of your cookies could let an attacker completely
take over your account and two-factor device if they know your account
password and you have chosen to trust the victim computer.

~~~
dunham
If you have a password on your backups, the codes are in your backed-up
keychain. (Google Authenticator doesn't mark its keychain entries as "keep on
device".) You'll need to patch iphone-dataprotection to handle a the iOS7
keychain format (I added a patch to the bug tracking database.)

------
PLejeck
I'm just gonna point out that the previous update was somewhere around 2 years
ago, and it's just _now_ getting retina, so we should be glad there's even
this much.

~~~
bruceboughton
Yeah, now I can view my missing one time codes in retina, edge to edge
quality. Yay!

------
web007
Unrelated to this particular snafu but still potentially problematic: if you
have your Authenticator account named by its default name (foo@example.com)
and you add another account with the same key, it will be blindly overwritten.
I found this out the hard way after scanning my Meraki 2FA QR code that was
tied to the same email that already had Google 2FA.

ProTip: rename your auth entry to something like "Gmail foo@example" to avoid
this problem, whether malicious or accidental.

------
gbraad
Luckily got a AWS reminder. And a shameless plug... my own 2FA app on
[http://gauth.apps.gbraad.nl](http://gauth.apps.gbraad.nl) can be used
everywhere you have a webbrowser, offline when your browser supports it and
updates without problems when a new version is available. Besides, no updates
were needed in months due to good QA. ;-)

------
bruceboughton
Fuck you, Google. Fuck you.

~~~
victorlin
Shit, I am fucked by Google as well ... :(

------
hrjet
What I worry about is a hacker feigning to be another user and claiming that
they can't access their google account anymore because of a botched update.

I guess Google support might get too many reset requests to show due diligence
in verifying authenticity of the requests.

------
darklajid
Not an iPhone user, but I wonder if you could access the key data manually and
restore it afterwards?

On Android that's possible (if you have root....) by accessing the key
database (sqlite in that case). I did that to duplicate the keys from my
handset to my tablet.

~~~
rem1313
Yes, if you have synced with iTunes before the update. If that's the case you
have to delete the updated app from the phone, connect phone to iTunes (do not
sync or transfer purchases) and copy over the old app from iTunes to phone and
it will restore the old version + app data.

~~~
3dinger
didn't work for me - app was restored but not data

------
tjbiddle
Just in time for Github to add 2FA.

------
bluesmoon
Chris Messina has a solution:
[https://twitter.com/chrismessina/status/375118991280205824](https://twitter.com/chrismessina/status/375118991280205824)

~~~
evilduck
That's only good for Google accounts. Dropbox and others aren't reset as
easily.

~~~
seanieb
Dropbox has the option to add a backup SMS phone number in addition to offline
TOTP code. Here are some other steps you can follow if your Google Auth app
got wiped:

\- [https://www.dropbox.com/help/364/](https://www.dropbox.com/help/364/)

------
markstanislav
Don't forget that Duo Security's mobile application supports Google
Authenticator (and any other TOTP-enabled service). It also has already been
working on iOS 7 for weeks.

------
PLejeck
I actually just switched to Duo Mobile earlier today because of iOS 7 issues
with Authenticator; this just cements my decision to switch.

Edit: oddly iOS 7 hasn't autoinstalled this yet.

~~~
elithrar
> I actually just switched to Duo Mobile earlier today because of iOS 7 issues
> with Authenticator; this just cements my decision to switch.

I moved all my non-critical stuff over (to test it out), saw the Google
Authenticator update, and then had to go and reconfigure those accounts
anyway.

I highly recommend making sure your backup phone number is updated _and_
verified and/or you have backup codes prepped.

~~~
PLejeck
Luckily I was still logged into all my accounts (my Dropbox account suddenly
dropped from Google's app like a week ago)

Duo seems to be quite nice, I doubt I'll end up using the backup codes.

Incidentally, GitHub has it right - "download a text file of your backup
codes" is much easier than "print this page nad hope you don't lose it"; I
find find(1) outpaces my frantic drawer-emptying.

~~~
cstuder
I've just noticed that Google has the download-as-text functionality now too.

~~~
bigiain
I wonder how many machines have those backup auth token text files sitting on
the Desktop or in the Downloads folder?

------
tlrobinson
Related: will iOS 7 let you turn off the auto-update feature?

~~~
JoshGlazebrook
Thankfully yes it does.

------
Achshar
Does this affect android? my phone is off and I am not turning it on until I
can somehow disable auto update from the play store from web.

------
0x0
Happened to me as well, fortunately I disabled 2FA on my Dropbox account
before the upgrade, thanks to this warning!

------
pshc
Thanks for the heads-up all! Looking forward to actually being able to
distinguish Authenticator accounts on iOS 7.

------
div
iOS7 beta automatically updated my Google Authenticator. The 'updated app'
indicator is taunting me.

------
nick_urban
This is the most pressing and actionable information I have ever gleaned from
a news site. Thank you!

------
arange
this is especially bad for mtgox as it does not have backup codes or cellphone
backup.

------
olive_
lesson learned : do not upgrade anything unless you read some feedback about
it.

------
mcleod
Is anyone else just happy that the assets will finally be high-res? :P

------
cominatchu
I recommend using the Authy app instead, it's much better

------
jbrooksuk
I'm just glad it works full screen on the iPhone 5.

------
andreif
Some guys really needed retina support. Now you got it.

------
victorlin
Damn it... This is stupid, I just upgraded too.

------
namaserajesh
Thanks for letting us know.

------
icecreampain
I cannot fathom why people still rely on Google for their core business needs.

At my last place of work I built an SMS system to be used as the second factor
in the intranet login. I _could_ have used a 3rd party 2FA, but the most
_logical_ reason to have our own system was ... well.. we didn't want to rely
on anyone except ourselves.

Didn't take me long and the most difficult part was finding enough USB-
connected phones to be used as SMS senders.

Guess what? The system still works today, why Google is broken.

~~~
crumblan
> didn't want to rely on anyone except ourselves.

And the remarkably secure telecom system, of course.

Google's style of 2FA is IMO technologically superior in that there is no
communication after the initial seed. It also appears to be somewhat
standardized -- see others posting about Authy. You could have your own
handwritten program running the algorithm if you wanted to be independent.

The real screw up on Google's part is not instructing users to have an
encrypted backup of their 2FA data.

~~~
jordanthoms
Well, they do instruct people to print backup codes.

------
corresation
Somewhat related, but when I setup two factor authentication I securely saved
the initial TOTP tokens (using barcode scanner to extract it) for exactly this
sort of situation (well in my case it was that I switched smartphones enough
that having it tied to one was nonsensical).

