Hacker News new | past | comments | ask | show | jobs | submit login

Would this mean that these two values are stored locally? Could they be extracted from the GA app?

Technically, yes. The name of the key is set by default as the account name in the app. I haven't looked into how the secret is stored in the Google Authenticator app—hopefully it's stored securely or with some level of obfuscation, but the app definitely needs to be able to retrieve the secret key somehow to do the token calculation.

One thing to note is that neither Google Authenticator nor Duo Security let you display the secret itself in the app. Another thing to note is that Google Authenticator keys seem to be backed up if you back up your iPhone to a computer using iTunes (mine were still there after a restore).

If you've disabled the built in protections on Android for the /data/data/ folder (such as "root"ing it), getting the keys out is as simple as:

$ su

# sqlite3 /data/data/com.google.android.apps.authenticator2/databases/databases 'select email, secret from accounts'

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact