Even the keys have no idea how or why they show up in google’s cloud
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Google Authenticator Now Supports Backing Up 2FA Codes Using Google Account
- Thread starter MacRumors
- Start date
- Sort by reaction score
This is completely different than backup codes. These codes are talking about the temporary ones that expire and regenerate new ones every 30 seconds or so.
Yes. They do. How many of their claims can the majority of these people substantiate? I'm going to suggest close to zero.
When they do add a link to say LOOOOOKKKKK!!!!!!
Ask them to add context, you know like how many times companies they love have been caught in compromising situations regarding user privacy.
Ask therm how many of the companies they love use Google servies and they'll come up with a reason why that part is Ok.
Question: I have 2FA on for my Nintendo account; can that be switched to a different authenticator app or am I stuck using the Google authenticator app? In the settings of the Nintendo account site it specifically mentions Google authenticator as if it’s the only option available.
Since I have a zero tolerance policy on lost 2FA-generation assets, I regularly export my Google Authenticator accounts (150+) from new iPhone to old iPhone using the export-import -but-don’t-delete method.
If a government is asking for your 2FA setup keys in the first place then you’ve likely got much larger and more pressing issues than Google privacy/security. Regardless, I’m doubtful that a government would be all that interested in obtaining 2FA setup keys when they can simply serve process asking for whatever data they’re actually after, but yeah, that’s a possibility, I guess?
No, TOTP codes are really just tied to a timestamp. Your device(s) and the server the code initially comes from agree on a key (either one you type, or one that's in the QR code, so don't share the QR code with someone). Then they take whatever the current clock says, entangle that with the key, and come to the same result (for 30 seconds, 60, something like that). There's no need to compromise anything, nor for any kind of network connection; all you need is for the two endpoints to agree on the initial key (such as by having one device present a QR code and having the other scan it).
Do you think google just slaps the same privacy label on all its apps because it is easier to manage?
Google wouldn't have your keys. They'd be encrypted, similar to how the keychain is for iOS.
Transport security is far simpler than storage security, so I very much doubt that would be a problem. Https/Tls is ubiquitous.
Well, hackers and Google would only be able to extract encrypted data. Also, the exact same arguments can be used for Apple or anyone.
How is sticking with 1password going to do anything to prevent shoulder surfing?
Yes, I very seriously try to limit my exposure to Google's services in part for the reasons detailed in post #11. Did you have a point or anything to contribute to this conversation? YMMV but I care about privacy and protecting user data, there is absolutely no reason why Google needs access to your contacts or search history for an authenticator app.
It doesn't look like google authenticator app has access to that data to me, do you have anything that says it does?
See post #11 where I captured their privacy scorecard from the app store.
Edit: I just found out about this and turned it on, we'll see in a week or so...
About App Privacy Report - Apple Support
Learn how App Privacy Report helps give you visibility into the ways apps use the privacy permissions you've granted them, as well as their network activity.
Last edited:
Thank you, and I see that on my iphone too. I wonder how accurate that is and why would one have to go to the app store to see it, it should be in settings like android's permissions.
anyway, Microsoft authenticator doesn't say contacts, but it does say user content, which means contacts and a lot more to me!
Holy hell batman!
Here is the full list: https://developer.apple.com/app-store/app-privacy-details/
Would love to see the Google (or MS) fanbois defend this crap! No way an authenticator app needs this level of access, this is 100% data collection and spyware!
Nearly all 2FA systems these days use the TOTP standard, which is supported by every 2FA app, including Apple's iCloud Keychain, Authy, 1Password, and all the usual suspects. I have my Nintendo account 2FA in my app of choice which is not Google Authenticator.