Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Google Security IT

Google Authenticator's First Android Update in Years Lets You Move Your Account Between Devices (theverge.com) 27

Google Authenticator, the company's code-based authentication app, has received its first update in three years, updating the app's interface for larger screens with more modern aspect ratios and delivering one of the platform's most-needed features. From a report: The Android version was last updated on August 22nd, 2017, while the iOS one was updated around a year ago to adjust it for iPhone X screens. Now, for the first time, Authenticator users will be able to easily transfer their account from one device to another without needing to manually transfer each code or disable and reenable two-factor authentication (2FA) on each account. The update introduces this feature through an import / export tool that lets you choose which accounts to include and transfer using a single QR code scan. It's a feature that competitor Authy has provided for quite some time, so it's refreshing to see it come to Authenticator, even if it's years late.
This discussion has been archived. No new comments can be posted.

Google Authenticator's First Android Update in Years Lets You Move Your Account Between Devices

Comments Filter:
  • by Thrakkerzog ( 7580 ) on Thursday May 07, 2020 @09:58AM (#60032062)

    I already moved over to yubikeys.

    • by AmiMoJo ( 196126 )

      Been looking at a Yubikey but I don't like the lack of security on the key itself. With a phone at least you can have a password or fingerprint.

      How are they for wiping for travelling too? Like say I need to go through customs I can back up my phone and factory reset it, then restore it at the other end or even on the aircraft. I'm not sure if you can do that with a Yubikey.

      How is it for robustness as well? I worry about damaging the key or the port it is plugged in to. I wish computers had NFC for this. I s

      • Re:Too late (Score:5, Informative)

        by darkain ( 749283 ) on Thursday May 07, 2020 @10:49AM (#60032230) Homepage

        A couple things on this I can answer, as having a key on my keychain for 5 years and using it pretty much daily.

        Locking: the NFC/2FA stuff isn't locked, neither is the touch button. But literally everything else is locked behind a password/PIN code. So basically the only things NOT locked are things that would require a username/password anyways, and the key just provides a second factor.

        Wiping and restoring is possible, assuming that all the encrypted content was created on a PC and stored on a PC first. For instance, there is NO way to retrieve the private key used for SSH authentication from the Yubikey. All authentication processing happens on the key itself (slowish on older keys, much faster on newer models). Basically, you can write a new SSH key to the Yubikey, but you can never read the existing key on it. So if you have a key file stored on your PC, you can write it to the Yubikey (or multiple keys, if you want them to be the same)

        I was worried about durability too. But after half a decade, the key looks and works great. This includes a point in time when I lost it in the work parking lot, it rained, and was out there for about 2 weeks before found. There is very noticeable wear and tear around the key ring hole on this one (the Neo), but later revisions fixed this by adding a metal ring inside of the key ring hole.

        Over all, these things are totally worth it. The metal and plastic are far superior to any other USB device I've used. Metal contacts still look great. Every USB port I used reads the key perfectly still.

        • by AmiMoJo ( 196126 )

          Thanks, +1 informative.

          The only thing I can't figure out is how to use it with KeePass on Android. Well there is one way, use the fixed password option with a USB C model. But USB C isn't common on computers yet.

          Ars Technica is doing an offer where you get a subscription and a key for less than they cost to buy right now.

        • The Yubikey NEO supports NFC. It's very handy to use on a phone along with OpenKeychain.
        • I was really impressed with the YubiKey, and I still have one, but I won't use it unless I have a way of unlocking my account if the key fails - this is all because my last key did fail, and I didn't carry it on my keychain, or anything that would cause it to be excessively knocked around.
          One day it just started to spit out only roughly half the size of the expected key, and of course I had no way to verify whether what it did output was valid or not. This bit me hard with Passpack (not a recommendation, in

        • My oldest yubikey has been on my keyring for just over 9 years now. Still works fine. My new one (a blue FIDO U2F one) is only 4 years old. It actually shows slightly more wear around the keyring. Must be a slightly softer plastic.

      • From the manual:

        For greater security, you can protect your YubiKey with a password.
        Yubico Authenticator enables you to protect your Yubikey NEO, YubiKey 4, or YubiKey 4 Nano with a
        password. You are prompted to type this password each time you insert a password-protected YubiKey into
        a USB port of your computer, or the password protected YubiKey and your Android device connect over
        NFC.

        • by AmiMoJo ( 196126 )

          That requires the Yubikey software though, right? Still, useful.

          I see they have a biometric version due out soon. Very few details but presumably it will work like the normal one but with fingerprint auth instead of just a button.

          My ideal key would have Bluetooth and a panic button that wipes it when you hold it down for a few seconds.

  • If you update this app, it keeps coming back in the list of updates as soon as you install it (if that makes any sense)
    • by Burdell ( 228580 )

      Think that may be a store bug, not an issue with the app itself. I didn't see that behavior with Google Authenticator, but I did a few days ago with PagerDuty.

  • You should be taking a screenshot of your QR code when you first set up the authentication profile and then print/save in a file cabinet. That way you don't have to rely on Google storing your secrets and you can lose your phone at any time and still be able to recover on a new phone.

    • KeePass allows you to store files, so I use that to store the GIFs/PNGs of the QR codes. Doesn't hurt though to have a hardcopy in a drawer in your house.

    • Agreed and that is what we do - screenshots of everything. We take it a step further and use the screenshot to actually add the seed to the device, as this verifies the screenshot is perfect.
      We need a lot of 2-factor codes for our company. Most of them we do not share the seed for, because if someone were to login from home we could potentially lose 50% of our revenue stream.

      I find it odd that the first comment to the article says it is too late, because Yubikeys are here. That doesn't work for everythin
      • or just take note of the secret and store it safely in keepass or something similar, as when you enable 2FA via TOTP with google you can make it show the secret it generated, not just the QRCode. Also you could just use keepassxc which has a great TOTP function on the phone and desktop, so you can keep your 2FA behind another password (and in my case, biometric, password and keyfile)
  • This eliminates a pretty key feature in many contexts, namely that you need that specific device in order to authenticate. Otherwise, it seems hardly any better than just writing down an extra password in any normal text file on your phone.

  • by Koyaanisqatsi ( 581196 ) on Thursday May 07, 2020 @11:44AM (#60032502)

    For such a sensitive app, which basically holds your 2nd factor for a number of other properties, it misses a lock option which protects the app behind your bio-metrics or FaceID. Because of that I switched to Microsoft Authenticator, and haven't looked back. And to boot, the MS app also displays favicons for the different services (if the QR code data includes an URL), which GA didn't do back then - maybe it does not, haven't checked.

  • While 2FA is very relevant in this day and age, it is unfortunate it only took Google almost 3 years to bring such a basic feature - and yet, not sure how secure it is. Understanding your keys now need to go âoesomewhereâ, either as a cloud backup or the likes, many other apps already filled this gap. Plus, since you cannot protect your protection (the app launches and shows it all to anyone looking at it), it should be better just remaining dead.
    • by Burdell ( 228580 )

      I actually like the way Google is doing it - nothing is stored outside the device. To transfer from device A to device B, you open the Authenticator app on device A, and it shows a QR code to import into device B. I don't want to use any of the TOTP authenticators that store your data in "the cloud" - I am then dependent on their service and their implementation of suitable encryption.

      I do wish it was more secure though, at least a passcode or fingerprint/face ID required. A notification (email or the like)

  • This bit me recently and caused me to move my 2fa to Authy from Authenticator...

  • I've weirdly had three new devices during this period (a second hand replacement for my Nexus 5X which died because of that common infinite bootloop bug, then a new phone to replace that after it was just too old and slow, and an additional new secondary phone for an overseas contract I had), and dealing with Google's Authenticator was a total pain in the ass.

    It was really hard to find basic information like whether or not the default Android backup device included Google Authenticator info (spoiler: it doe

  • A once-employer made me add 2F-auth to my Github account before giving me access to their private repository.

    After I left them, I lost access to the repository, but didn't bother disabling the 2F-auth. Because it is good for security, right?

    And then my phone died. Although I was able to restore settings on a new one from backup, the Authenticator was empty...

    And then it turned out, Github will absolutely not — under any circumstances — remove the 2F-requirement from your account. Nope. No way, no how. And the "recovery keys" they once e-mailed me, were left on the old employer's mail-server...

    After six months idle-period, Github gracefully agreed to delete the account — and allow me to create a new one with the same name...

  • Why bother when we have Authy and YubiKeys?

    Seriously, I'm not installing separate apps for each 2FA account I have. It's laughable that these apps won't allow me to have more than one account on a single service. I use Authy because it takes care of that for me.

Put your Nose to the Grindstone! -- Amalgamated Plastic Surgeons and Toolmakers, Ltd.

Working...