Hacker News new | past | comments | ask | show | jobs | submit login

Have you tested this? Are the barcodes not time pertinent?

(I've studied two-factor authentication using HOTP and TOTP, and built a node.js implementation of it.)

The QR codes simply divulge a URI with the secret key for generating tokens. They look like:

The secret key is used in the app in conjunction with a moving factor (usually 30-second intervals of time) to generate a numerical hash of sorts for that interval of time, which is then truncated to 6 characters.

The QR code itself doesn't have any sort of time limit on them; they only serve to transmit the secret key.

This. I scanned one QR code with a regular QR code reader and came to the same conclusion...

I haven't actually tested it though. :-/

Would this mean that these two values are stored locally? Could they be extracted from the GA app?

Technically, yes. The name of the key is set by default as the account name in the app. I haven't looked into how the secret is stored in the Google Authenticator app—hopefully it's stored securely or with some level of obfuscation, but the app definitely needs to be able to retrieve the secret key somehow to do the token calculation.

One thing to note is that neither Google Authenticator nor Duo Security let you display the secret itself in the app. Another thing to note is that Google Authenticator keys seem to be backed up if you back up your iPhone to a computer using iTunes (mine were still there after a restore).

If you've disabled the built in protections on Android for the /data/data/ folder (such as "root"ing it), getting the keys out is as simple as:

$ su

# sqlite3 /data/data/com.google.android.apps.authenticator2/databases/databases 'select email, secret from accounts'

fine, outdo me haha. Saving the Key is useful with AWS MFA because if some reason you loose your MFA Virtual Key (app updates and you loose the key) you have to contact AWS to have it reset, Can't just do it yourself.

Awesome. Yeah I clearly am out of my depth :)

They are not. I've done time many times now. Very handy when switching between phones because you don't have to recreate the tokens every time you switch.

Just be mindful that whenever these screenshots get compromised, you lost all your tokens.

Yes I have tested this and it works. Of course make sure those screenshots are safe and encrypted too.

Or print them out and store them in a bank safe...


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact