Google Authenticator iOS App Gains New Export Accounts Option

[Jens Engels]

What if you lose or break your phone?

 

[DrV]

@DrV Security is not the problem in first place, but the fact that there many other 2FA Apps (the principle is really simple) that do a better job where GA fails at a very important part: backing up 2FA codes. IIRC they were not even backed up using iTunes because they are linked to some device S/N or even security chip.

Now while 2FA leads to elevated security it only does that as long as it's being used. If people get locked out because their GA failed to restore from backup they in the future tend to not activate 2FA anymore.

The conclusion is 2FA without a high level of usability will ultimately not be adopted by customers.

Printing the registration code is of course an option, but it's an unnecessary hassle. A 2FA AP should be able to somehow backup the codes on its own.
2FA codes, unlike private keys of certificate based authentication, are also not top secret, since they are literally a second factor... as such an export should have been possible from day 1.

Thank you for the detailed answer!

Yes, I agree. Usability with cloud backups is much better, but that leads to reduced security. So, this is a compromise. I have been reasonably happy with GA, and I have been willing to sacrifice usability for security. (That happens with all authentication methods.)

I do well understand the point that almost any 2FA is better than no 2FA, and that the added security by not having the cloud backup may not be worth the hassle. OTOH, I have a safe which is close to my printer, so I do not find it very difficult make safe paper copies. Nevertheless, I have noticed many people backup the QR codes by taking a photo or screen capture. That, in turn, is potentially much less secure than proper cloud backups.

Personally, I am in the process of moving to Yubikeys. They should be more secure than any sw authenticator, but the cost is non-negligible as you need two at least.

 

[JimmyBanks6]

I am just curious... What is wrong with GA from the security POV?

I understand GA is a PITA when changing devices (been there, done that, and now I have printouts of the QR codes in my safe ICE), but the other side of this is that the info is not on anyone’s server.

Another potential downside is the situation where someone has access to my non-locked phone as the app is not requesting any password or biometric id. But what is the use case where this is a real attack vector for 2FA?

I am not saying GA is the best possible solution in the market, but I’d like to understand the security model of these different authenticator apps.

GA is actually more secure. The unique token that is used to generate the code is stored only on your device. Similar to RSA tokens.

Authy, 1Password, etc, all upload that token to their servers, creating another theoretical point of attack.

 

[mazz0]

Yep, I'm in the OTP Auth camp too (https://apps.apple.com/gb/app/otp-auth/id659877384). Hassle-free syncing across devices, Safari plugins to make entering the codes a doddle. I don't know why people would use Google's version. Even this solution requires that you have the new and old phone at the same time, so doesn't work for trade ins, or replacements of lost/broken phones.

I appreciate not storing the keys in the cloud is more secure, but come on, they're stored encrypted in iCloud with a key Apple don't have. I doubt anybody with the power to hack that is particularly interested in pretending to be me on MacRumors forums!

 

[Le Big Mac]

Wirecutter did an assessment and concluded on Authy, which I use. YMMV - https://www.nytimes.com/wirecutter/reviews/best-two-factor-authentication-app/

 

[bozzykid]

@DrV Security is not the problem in first place, but the fact that there many other 2FA Apps (the principle is really simple) that do a better job where GA fails at a very important part: backing up 2FA codes.

You say "fails", but most security experts see that as a positive that GA doesn't backup codes to the cloud. By backing up codes online, you are reducing the security of all of your accounts. The question is really about how much security you are willing to give up for convenience. I for one am glad there are options out there without a cloud backup. GA doesn't need to try to compete auth apps that backup to the cloud.

 

[1204932]

I use Microsoft Authenticator now (I used Google Authenticator for many years and Authy for a year or two) and I'm very happy with it. Many ways to add your codes, backups (if you want, you can disable it), plus password-less login to your Microsoft account which I initially didn't think I'd use but boy is it a time-saver. You can also perform several security related tasks on your Microsoft account through the app. For someone like me with one foot in the Microsoft world and one foot in the Apple world it's perfect.

 

[Konigi]

At last! I'm glad I thought about checking out Google Authenticator when I bought a new iPhone. Otherwise I would have lost access to many accounts.

I use LastPass for commong passwords but still find GA useful as an extra layer of protection for a few ones.

 

[japanime]

Three weeks too late for me. I really could have used this when I migrated from my original SE to my 12 mini. Instead, I went through the tedious process of scanning all of the 2FA barcodes for a "new" app. Now they're all in 1Password.

Buh-bye, Google.

 

[spazzcat]

lol... no person really using 2FA uses GA anymore...

For GA the ship has sailed long ago...

I guess I am the last one?

 

[shurcooL]

Wow, I’m so glad this happened. Dealing with this in the past was one of the most frustrating parts of transferring data from one iPhone to another.

 

[GermanSuplex]

I stopped using Authenticator and just use 1Password. One and done.

Privacy issues aside, Google can have incredibly useful and intuitive apps, but it also has some real head-scratchers. For instance, you can use email groups in Gmail on the web to send one email to multiple folks merely by typing the name of the group in the 'To' field (i.e. All Staff group sends an email to everyone you've added to that group).

When trying to use the Gmail app, you can't send to groups. You have to set them up in Contacts.. very lame. I just use Safari and request the desktop site.

 

[Le Big Mac]

If you do encrypted backups of your iPhone to your computer does that save the codes (in lieu of a backup to the cloud)?

 

[JimmyBanks6]

If you do encrypted backups of your iPhone to your computer does that save the codes (in lieu of a backup to the cloud)?

iCloud backups do not backup your Authenticator codes.

Don't have an answer for local backups though.

 

[canadianreader]

I still use the app and have about 13 accounts I use monthly.

Other than that I use LastPass, so would like to combine the two.

Bitwarden and 1Password have OTP included

 

[TMRJIJ]

Well that would have been useful... a week ago

Yep - stuffed me up too

Yep same. It was hell dealing with the manual transfers for my new iPhone

 

[nutmac]

dump google auth. just use 1pass. easy.

authy is a piece of crap too.

1Password has amazing 2FA integration with Safari, at least on a Mac. Entering 2FA code is fully automated requiring zero click.

 

[CarlJ]

Too few, too late. Authy has taken the spot as a decent and easy to transfer 2FA application with a much better approach of using iCloud storage for backups and restore. Move along, Google - you had your time.

I used Authy for quite a while. I finally made the switch to the 2FA facilities in 1Password (I’ve been using 1Password for passwords forever), and I like it much better. And with 1Password, there’s zero concern about portability, the one time passwords are just there.

 

[jonblatho]

Does anyone use Duo Mobile?

Yes, my old university/current employer forces me to use it. I hate it.

 

[Buran]

What do you find bad about Authy? Genuine question, I’m a happy user of it but wondering if there are even better solutions.

It’s great having my 2FA codes on my phone, watch and computer. Realise this may be a slight security trade-off if someone somehow gains access to one of my devices physically, but that’s not really why I use 2FA.

I think there was just some confusion there about the app. TOTP is a standard and Authy is just one implementation of it. If a site is requiring a specific app, it's not using true TOTP.

That said, moving Authy to my new phone back in November was very easy, and I verified against my iPad, laptop, desktop, and old phone that the codes it and the Blizzard Authenticator were generating matched the older device before wiping it.

 

[waveman]

It will be much easier now to export accounts and give them away...

 

[Bubble_pizza]

I still use the app and have about 13 accounts I use monthly.

Other than that I use LastPass, so would like to combine the two.

LastPass has an auth app - LastPass Authenticator and you can back it up to your LastPass account.

 

[dmdev]

Like others, I needed this feature a little over a month ago when I ordered the iPhone 12. As a result of having to go to several webpages to generate new 2FA codes, I imported them into Microsoft Authenticator instead.

So yeah, for some this is too little too late.

 

[Apple_Robert]

Too few, too late. Authy has taken the spot as a decent and easy to transfer 2FA application with a much better approach of using iCloud storage for backups and restore. Move along, Google - you had your time.

I liked and use Authy until I found OTP Auth, which is a lot better to use, in my opinion.

 

[Piggie]

I heard two things which may make a difference.
I use Authy due to the ability to transfer to another phone, which is the reason I think many did, and what was unliked about Google's past offerering.

However, two things.
1: I understand Authy had changed hands (not sure if that's something to consider security wise?)
2: Authy holds your info (it was how they were able to do the new phone thing) but Google only keeps the data on your phone and does not hold it at all, so even more secure.

Will admit I'm temped to change from Authy to Google now.

Any thoughts on the two points above?