Ahem, I think making it much easier to transfer and backup 2FA codes is extremely important to make this area more useable. But I'm missing some parts here in this announcement how the data is protected? Is the security the same as for the Google Account itself, or are there additional checks or protection for the case where you need to restore 2FA to another phone?
And how are you supposed to handle the 2FA for your Google account? I mean I have U2F tokens which remove that concern, but that is far from the typical case. If you have the 2FA for your Google account in the Google Authenticator, which is probably a very common case, how does this entire thing work then when you need it, which is when you lose your phone?
> And how are you supposed to handle the 2FA for your Google account? I mean I have U2F tokens which remove that concern, but that is far from the typical case. If you have the 2FA for your Google account in the Google Authenticator, which is probably a very common case, how does this entire thing work then when you need it, which is when you lose your phone?
You open your safe and you use one of the recovery codes that you wrote down when you setup 2FA.
> You open your safe and you use one of the recovery codes that you wrote down when you setup 2FA.
HN rarely does humor, but when it does, it really cuts deep.
Can you really expect a typical person - including the tech-savvy ones - to keep a hastily written piece of paper for a decade or more, without losing it? My code card is clocking on a decade, I needed it only once (so far), and it's only pure luck that, in all those years, I haven't accidentally destroyed it or thrown it away.
Also: it only recently became apparent just how bad it is to lose access to your Google account. Most tech-savvy people I know don't even realize how many things in their lives are gated by that little login form. Non-tech-savvy folks? Maybe they'll figure it out in a decade, after enough people became thrust into poverty for the lack of Google 2FA recovery codes - enough many that it's as boring news story as car accidents.
Post by "Group Product Manager". It's a pretty useless post. Could've been 2 sentences.
From the support page:
> If you’re signed in to their Google Account within Google Authenticator, your codes will automatically be backed up and restored on any new device you use.
Still doesn't explain how it works. On the same page they're talking about synchronization:
> Google Authenticator 6.0 on Android and 4.0 on iOS introduces the option to keep all your verification codes synchronized across all your devices, simply by signing into your Google Account.
I don't understand why "people" think it's a good idea to hide any form of mental model or technicalities.
Provide people with a mental model. It will make it easier to understand all the Ws. People are not stupid. They will understand, as long as you can describe it properly.
I remember pushing for this when i was at Google ~5 years ago. I wasn't on the team but I wrote 2 proposals, one to do QR code export and imports and another to sync codes using the google backup framework.
Neither was approved nor denied, just in limbo. But nice to see that both features have finally shipped. Sadly I have switched away to 1P, too much effort to move it all back.
Years ago I got FUCKED when I used Authenticator and bought a new phone. I just assumed everything would be backed up to iCloud, like everything else. I lost access to accounts which were almost impossible to retrieve. Millions of people have been screwed thus, turning people away from 2FA. I can't believe it has taken this long to enable sync.
Our onboarding docs specifically tell employees to NOT use Google Authenticator precisely because of this issue. I have no idea how Google let this fester for so long, literally if even one (1) person over there was using it and got a new phone, they should have known about the issue.
This is not a 2FA problem. It's a google problem, and the google problem is not limited to 2FA.
Do not use google-anything, for anything in production, ever. They make shiny products that depending on your point of view may be nice or just shiny. But their total solution is not a serious competitor to any of the major players. Any time anything depends on google, you risk it destroying a part of your business - yes, under a paid support contract.
I was doing a dc migration at a hospital once, and they used google authenticator. I'm waiting for the day some sysadmin who knows some dev who worked with some dev on an app that was banned from some phone that got resold, will cause all the storage, network, and sysadmins to lose remote login access to all their devices during a sev1 at 2am.
Incidentally, Signal works the same way on an Apple device. No backup. Lose your phone, and your entire chat history is GONE, together with all the media.
Apparently the authors of Signal consider backup to be less important than all the idiotic "story time" features and similar doodads.
Yep, I’ve been using Authy for years because of this. Before that, I would have a second phone with GAuthenticator on it and when I scanned the QR code to set up a new account, I would do it with both phones simultaneously to make sure I had a backup. It always struck me as absolutely ridiculous.
The main point of TOTP is that users passwords are mostly weak and reused across sites. TOTP protects those users from password stuffing and similar attacks.
If you are using a strong random password generated from 1PW you've already mitigated against that threat. TOTP isn't buying you much additional security. So for most folks it is just fine to store you TOTP seed in 1PW.
Unlike TOTP, passkeys _do_ buy you additional security in their phishing resistance. So you should always prefer passkeys/fido2 keys to TOTP if that is an option. Its still fine for most users to use 1PW as your passkey storage.
I'm also having the same thoughts about Google Auth: my email (Gmail) is a big target for gaining access to the rest of my digital life, and putting 2FA in the same hands seems risky. I'd need to do more evaluation to consider leaving Authy.
As a former Google Auth user, who bungled my own phone migration a few years ago - yeah, defense in depth is better but at the time, I was furious there was no way to recover my Google Auth and I had to go to every single service and reset my 2FA.
Storing both on 1Pass is not as secure, but the option is that once in a while you misstep and spend a week restoring TOTP setup (or lose entire accounts because your service provider has no functional customer support) then I'm amenable to stable but less secure options.
> It seems like a very, very bad thing to store both your passwords, and TOTP codes in the same tool
Yes. It defeats the purpose. But whenever you mention it, you will get lots of replies with plenty of hand-waving why this is still better and why it doesn't matter "much".
If you go to the effort of doing 2FA, do it right. Two Yubikeys, and a reasonably decent TOTP app (Authy qualifies as "reasonable") for those sites that do TOTP.
Very true, however as others have pointed out it all comes down to levels of security.
There are many non important accounts where I have 2FA, and both the password and the TOTP is in 1p. This should suffice for any brute force password attacks. However there are some accounts (like google) which one can consider more important for which I keep the TOTP on a separate app like Authy.
More recently I've been switching to yubikeys where possible.
Eh, it's still better than not having it. Which is likely the bar for a lot of casual users. Mostly the goal is to prevent password reuse I think, which comes down to convenience. And unless 1pass gets hacked (which could happen! see: LastPass) it's relatively secure for that purpose.
Yeah, but only as a means of transferring them to another device. Sure, you could abort the flow before the existing codes were deleted, but it was far from ideal.
I’m glad there’s finally real support for backing up codes.
Does the export invalidate the existing device after export ? it sounded like it's only for moving to a different device rather than having two at the same time.
I would've even been happy if they didn't block you from screenshotting the QR export code. This has caused me so much pain over the years but nope, they refuse to change it.
This basically means you can never factory reset your phone without someone else using their phone to help you, which means you're forced to share your entire account and all your codes with a third party who might keep them forever.
You also can't preemptively back it up in case your phone is stolen or lost.
But nope, Google thinks they know best and in 2023 they still actively block you from keeping your accounts safe. It's mad.
You can go to a place that has self-service photocopiers and copy the QR code(s) from the export screen(s) to paper that way.
I just tested this using the copy function of my Brother printer/scanner, and my phone was able to successfully import from the printed export code.
I've only got 4 accounts in Google Authenticator (because I only have it because I wanted to help someone else once who was using it figure out something). The more accounts you have the denser the QR code will be, so it is possible that you might have to split the export into multiple passes with this method if you have a lot of accounts.
That was worst thing about google Authenticator was migrating to another device and amount of support my IT team had to deal with people upgrading phones. I can’t believe how long it took for an export feature.
Yeah, I switched away from Google for this reason. Pretty wild to think of the implications of losing your phone and having no backup. Even switching phones required resettings all your codes. Authy is a mess, but at least had this functionality when they were still actively worked on.
All you need is the OTP secret. I have all of mine stored in my bitwarden. I can plug and play them in any supporting app to keep generating the 2fa codes.
Such a bizarre app. Instead of implementing push notifications in the "Google Authenticator" app, Google decided to add the logic to all other apps like YouTube. Before we introduced Okta, our users would get notifications like "Open the YouTube app on your phone to approve this login".
Whilst clever for the people who don't have Google Authenticator installed, it's just bizarre to ignore it when it's there.
They also once bizarrely replaced the `com.google.android.apps.authenticator` package with the new (and still used) `com.google.android.apps.authenticator2`, making everyone set up their accounts all over again or forgo updates: https://www.androidpolice.com/2012/03/22/psa-googles-authent...
Google's preference of their weird, bespoke authenticator over TOTP is also very annoying to anyone who would rather not. (it is required to add any additional authenticators, and the default authenticator)
TOTP are still phishable, the push notification includes information on where you're logging in from, so you at least have a chance to notice that the login is coming from Croatia and not your house.
I'm not sure what Google is trying to belatedly do with Authenticator at this point. But making it less of a support nightmare is a good thing. And I expect somebody (finally) got pragmatic about it maybe not being ideal that users get locked out of all their critical accounts every time they loose their phone. I bet that generates a lot of support overhead for them.
2FA setup in general is a PITA to support with users in the real world. I speak from experience. It's too complicated. Too many different steps involved. People get stuck doing it. People get locked out of their accounts. Etc.
Most people with a clue would not use Authenticator but one of the many alternatives that do the same job but with a bit more convenience (like syncing secrets between devices).
I tend to use Authy. And of course Okta actually acquired Auth0, which created Authy. But you could also use many common password managers for this (except of course the Google or Apple ones people actually default to on their phones).
Meanwhile, Google, MS, Apple, and others are also pushing hard for passkeys. That seems more promising. But what worries me is that they regard this as a browser thing. So that still leaves a lot of mess outside of browsers. As well as their legacy of other supposedly user friendly ways of signing in. At this point most of them de-emphasize 2FA actually. Because it is such a support nightmare.
So are you telling me you can just use vanilla iOS to store TOTP like with Authy or Google's Authneticator or 1PAssword but directly into the apple keychain?
That seems nice
Honestly I think apple could do a better job at camera -> qr ux flow
Yup. The catch is, it's kind of buried in System Settings.
Cable Sasser wrote a blog post that was making the rounds a few weeks ago, advocating for a dedicated app. He's right, the existing Apple implementation works great but it's still a lot for normies.
You mean the idiotic little tiny yellow popup which only stays on the screen while the QR in view and must be tapped to activate... WTF were they thinking right? (You can add a "QR reader" button to your control center though which functions in a more sane way.)
Anyway yes you can do that, but I wouldn't use iCloud keychain at all because your Apple account, including ICKC, can be fully hijacked using one factor only - the passcode of the device an attacker has. People watch you unlocking in a bar, then grab your phone and run. Google "joanna stern iphone passcode" before moving any precious data into Apple's control.
You need to store the password on the iPhone in this case, which is insecure. The whole point of having the second-factor auth is using two separate devices: a computer stores the password (in a password manager) and a smartphone generates the TOTP codes.
I have started using Aegis on android which is fantastic. Backup and restore anywhere.
My advice would be to not have everything in one place, no matter which ecosystem you are on. Going all in is never a good idea whether its Google or Apple. Its great that Google has done this, but just use another app to manage that.
One would be crazy to keep their passwords and 2FA with a company, which does not provide customer service (unless you pay for Google One, which still doesn't cover all of Google)! I know, it's bad to store both passwords and OTPs in one place, but 1Password does this for me smoothly, and I trust time orders of magnitude more than Google, so, no, Google, you're too late to the party, plus, you need to regain our trust, which seems impossible at this point!
Except for Microsoft’s. It took me twenty minutes of trying to realize that they have their own non-standard QR codes, and that I had to click “use another authenticator app” to get a standard one.
Personally I would be a little weirded out if a customer service rep could access my account over the phone, especially in an account recovery situation where "I lost credentials oops".
I had always thought that the lack of cloud synchronization was a deliberate security feature. If my TOTP secrets sync to the cloud, doesn't that defeat the entire point of 2FA? Now, instead of my physical device being the sole second factor for authentication, anyone who is able to breach/intercept/coerce someone at Google into divulging/etc the TOTP secrets from Google's cloud storage, my accounts are toast...
Google's authenticator has been outright harmful in how neglected it has been, especially when it comes to backing up your codes outside the app. This should be a very full-featured and well-maintained application considering how essential it is for security.
For years I've been telling anyone who'd listen to use Authy instead.
Readit News
And how are you supposed to handle the 2FA for your Google account? I mean I have U2F tokens which remove that concern, but that is far from the typical case. If you have the 2FA for your Google account in the Google Authenticator, which is probably a very common case, how does this entire thing work then when you need it, which is when you lose your phone?
You open your safe and you use one of the recovery codes that you wrote down when you setup 2FA.
HN rarely does humor, but when it does, it really cuts deep.
Can you really expect a typical person - including the tech-savvy ones - to keep a hastily written piece of paper for a decade or more, without losing it? My code card is clocking on a decade, I needed it only once (so far), and it's only pure luck that, in all those years, I haven't accidentally destroyed it or thrown it away.
Also: it only recently became apparent just how bad it is to lose access to your Google account. Most tech-savvy people I know don't even realize how many things in their lives are gated by that little login form. Non-tech-savvy folks? Maybe they'll figure it out in a decade, after enough people became thrust into poverty for the lack of Google 2FA recovery codes - enough many that it's as boring news story as car accidents.
Do you consider your safe to be... safe? I'd imagine it to be relatively easy to get into, by picking the lock or sawing through the safe.
From the support page:
> If you’re signed in to their Google Account within Google Authenticator, your codes will automatically be backed up and restored on any new device you use.
Still doesn't explain how it works. On the same page they're talking about synchronization:
> Google Authenticator 6.0 on Android and 4.0 on iOS introduces the option to keep all your verification codes synchronized across all your devices, simply by signing into your Google Account.
I don't understand why "people" think it's a good idea to hide any form of mental model or technicalities.
Provide people with a mental model. It will make it easier to understand all the Ws. People are not stupid. They will understand, as long as you can describe it properly.
Neither was approved nor denied, just in limbo. But nice to see that both features have finally shipped. Sadly I have switched away to 1P, too much effort to move it all back.
Do not use google-anything, for anything in production, ever. They make shiny products that depending on your point of view may be nice or just shiny. But their total solution is not a serious competitor to any of the major players. Any time anything depends on google, you risk it destroying a part of your business - yes, under a paid support contract.
I was doing a dc migration at a hospital once, and they used google authenticator. I'm waiting for the day some sysadmin who knows some dev who worked with some dev on an app that was banned from some phone that got resold, will cause all the storage, network, and sysadmins to lose remote login access to all their devices during a sev1 at 2am.
Apparently the authors of Signal consider backup to be less important than all the idiotic "story time" features and similar doodads.
Deleted Comment
It seems like a very, very bad thing to store both your passwords, and TOTP codes in the same tool...
If you are using a strong random password generated from 1PW you've already mitigated against that threat. TOTP isn't buying you much additional security. So for most folks it is just fine to store you TOTP seed in 1PW.
Unlike TOTP, passkeys _do_ buy you additional security in their phishing resistance. So you should always prefer passkeys/fido2 keys to TOTP if that is an option. Its still fine for most users to use 1PW as your passkey storage.
I use Authy instead, which also backs up TOTPs.
I'm also having the same thoughts about Google Auth: my email (Gmail) is a big target for gaining access to the rest of my digital life, and putting 2FA in the same hands seems risky. I'd need to do more evaluation to consider leaving Authy.
Storing both on 1Pass is not as secure, but the option is that once in a while you misstep and spend a week restoring TOTP setup (or lose entire accounts because your service provider has no functional customer support) then I'm amenable to stable but less secure options.
Yes. It defeats the purpose. But whenever you mention it, you will get lots of replies with plenty of hand-waving why this is still better and why it doesn't matter "much".
If you go to the effort of doing 2FA, do it right. Two Yubikeys, and a reasonably decent TOTP app (Authy qualifies as "reasonable") for those sites that do TOTP.
There are many non important accounts where I have 2FA, and both the password and the TOTP is in 1p. This should suffice for any brute force password attacks. However there are some accounts (like google) which one can consider more important for which I keep the TOTP on a separate app like Authy.
More recently I've been switching to yubikeys where possible.
I keep my 2fa backup codes in my Keepass safe. Where else will I keep them?
I’m glad there’s finally real support for backing up codes.
This basically means you can never factory reset your phone without someone else using their phone to help you, which means you're forced to share your entire account and all your codes with a third party who might keep them forever.
You also can't preemptively back it up in case your phone is stolen or lost.
But nope, Google thinks they know best and in 2023 they still actively block you from keeping your accounts safe. It's mad.
I just tested this using the copy function of my Brother printer/scanner, and my phone was able to successfully import from the printed export code.
I've only got 4 accounts in Google Authenticator (because I only have it because I wanted to help someone else once who was using it figure out something). The more accounts you have the denser the QR code will be, so it is possible that you might have to split the export into multiple passes with this method if you have a lot of accounts.
Whilst clever for the people who don't have Google Authenticator installed, it's just bizarre to ignore it when it's there.
The old one has its name changed to "(old)": https://play.google.com/store/apps/details?id=com.google.and...
TOTP are still phishable, the push notification includes information on where you're logging in from, so you at least have a chance to notice that the login is coming from Croatia and not your house.
FIDO is still vastly better though.
2FA setup in general is a PITA to support with users in the real world. I speak from experience. It's too complicated. Too many different steps involved. People get stuck doing it. People get locked out of their accounts. Etc.
Most people with a clue would not use Authenticator but one of the many alternatives that do the same job but with a bit more convenience (like syncing secrets between devices).
I tend to use Authy. And of course Okta actually acquired Auth0, which created Authy. But you could also use many common password managers for this (except of course the Google or Apple ones people actually default to on their phones).
Meanwhile, Google, MS, Apple, and others are also pushing hard for passkeys. That seems more promising. But what worries me is that they regard this as a browser thing. So that still leaves a lot of mess outside of browsers. As well as their legacy of other supposedly user friendly ways of signing in. At this point most of them de-emphasize 2FA actually. Because it is such a support nightmare.
Deleted Comment
https://support.apple.com/en-gb/guide/iphone/ipha6173c19f/io...
That seems nice
Honestly I think apple could do a better job at camera -> qr ux flow
Cable Sasser wrote a blog post that was making the rounds a few weeks ago, advocating for a dedicated app. He's right, the existing Apple implementation works great but it's still a lot for normies.
https://cabel.com/2023/03/27/apple-passwords-deserve-an-app/
You mean the idiotic little tiny yellow popup which only stays on the screen while the QR in view and must be tapped to activate... WTF were they thinking right? (You can add a "QR reader" button to your control center though which functions in a more sane way.)
Anyway yes you can do that, but I wouldn't use iCloud keychain at all because your Apple account, including ICKC, can be fully hijacked using one factor only - the passcode of the device an attacker has. People watch you unlocking in a bar, then grab your phone and run. Google "joanna stern iphone passcode" before moving any precious data into Apple's control.
And so I looked it up. Became pretty popular on hn.
My advice would be to not have everything in one place, no matter which ecosystem you are on. Going all in is never a good idea whether its Google or Apple. Its great that Google has done this, but just use another app to manage that.
Personally I would be a little weirded out if a customer service rep could access my account over the phone, especially in an account recovery situation where "I lost credentials oops".
1) Attack vector reduced to one account which you maintain with healthy hygiene, and hopefully don't use with public systems, etc.
2) You can keep backup 2FA for single account instead of keeping for N accounts.
For years I've been telling anyone who'd listen to use Authy instead.