When MFA isn't MFA, or how we got phished

[adamckay]

> I'm surprised Google encourages syncing the codes to the cloud... kind of defeats the purpose

Probably so when you upgrade/lose your phone you don't otherwise lose your MFA tokens. Yes, you're meant to note down some recovery MFA codes when you first set it up, but how many "normal people" do that?

[Master_Odin]

A number of sites I've signed up for recently have required TOTP to be setup, but did not provide back up codes at the same time. There's a lot of iffy implementations out there.

[GoblinSlayer]

The totp recovery code is just a base32 encoded secret key, which is also present in qr encoded url.

[cottsak]

gross

[aeyes]

With Google Authenticator some years ago it wasn't even possible to restore your codes even if you had a local backup of the device. I'm not sure if that still is the case today but it was a common issue which we saw at our service desk before we switched to a different solution.

[SoftTalker]

Yeah I had to re-enroll my phone when I got a new one a few years ago.

I never did get around to doing all of them so I still have the old phone in a drawer for those rare times I need it.