Google Authenticator Now Supports Backing Up 2FA Codes Using Google Account

[tennisproha]

This is completely different than backup codes. These codes are talking about the temporary ones that expire and regenerate new ones every 30 seconds or so.

oh that’s just regular 2FA codes then

 

[tennisproha]

Hopefully you have a strong (20-30 character) passphrase on your apple ID, and are never a victim of passcode shoulder surfing. The problem with putting this passwords in an ecosystem with other data (especially email) is that you're reliant on the least secure fallback authentication method. Even Apple's recovery key's are now being abused to lock out accounts.

No thanks, I'll stick with 1Password.

how’s 1 password any better? it’s still secured by a password rt?

 

[Mr. Heckles]

It’s not end to end encrypted

“We tested the feature as soon as Google released it. We realized that the app didn’t prompt or offer an option to use a passphrase to protect the secrets,” the company wrote on Twitter.

 

[brijazz]

No.

What does concern me is what other information they are able to skim off my device simply because I have their app installed (location, clip board contents, etc.) that adds to their already voluminous collection. Simple as that.

View attachment 2193111

Example: WTF does Google need my contacts for in order for the authenticator app to work? Why are they collecting Search History? Location?!!?! F Google!

Huh. I have had Google Authenticator installed for ages, and it doesn't appear in Settings>Privacy & Security>Contacts on my phone.

 

[julianps]

Google wouldn't have your keys. They'd be encrypted, similar to how the keychain is for iOS.


Transport security is far simpler than storage security, so I very much doubt that would be a problem. Https/Tls is ubiquitous.


Well, hackers and Google would only be able to extract encrypted data. Also, the exact same arguments can be used for Apple or anyone.

And yet here we are, just a day or two later, and "We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted," said Mysk via Twitter. "This means that Google can see the secrets, likely even while they're stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user."