Google Authenticator Can Now Sync 2FA Codes To the Cloud

Google Authenticator just got an update that should make it more useful for people who frequently use the service to sign in to apps and websites. From a report: As of today, Google Authenticator will now sync any one-time two-factor authentication (2FA) codes that it generates to users' Google Accounts. Previously, one-time Authenticator codes were stored locally, on a single device, meaning losing that device often meant losing the ability to sign in to any service set up with Authenticator's 2FA. To take advantage of the new sync feature, simply update the Authenticator app. If you're signed in to a Google Account within Google Authenticator, your codes will automatically be backed up and restored on any new device you use. You can also manually transfer your codes to another device even if you're not signed in to a Google Account by following the steps on this support page.

Some users might be wary of syncing their sensitive codes with Google's cloud -- even if they did originate from a Google product. But Christiaan Brand, a group product manager at Google, asserts it's in the pursuit of convenience without sacrificing security. "We released Google Authenticator in 2010 as a free and easy way for sites to add 'something you have' 2FA that bolsters user security when signing in," Brand wrote in the blog post announcing today's change. "With this update we're rolling out a solution to this problem, making one time codes more durable by storing them safely in users' Google Account."

Authy has had this feature for years

[kriston]

Twilio's Authy has had this feature for years.

Re:

[93 Escort Wagon]

As has Bitwarden.

Re:

[Shaitan]

Yes but you can control your own private bitwarden instance.

If I want to hand over access to everything I have to any yahoo with a rubber stamp from a FISA court or who doesn't have one but activists at Google feel inclined to support Twitter style this seems like a good idea. Otherwise if I want access control to remain in my hands rather than Google's this is a terrible idea.

This update brought to you by the same folks who just tried to claim FB was trying to facilitate child pornography by spreading end-

Great

[dskoll]

So now if someone compromises your Google account, they can access your 2FA codes for other non-Google accounts. Excellent move, Google.

Then there's the chicken-egg problem... if you lose your Google Authenticator device, your 2FA codes are safely stored... precisely where you can't access them unless you've copied your emergency codes somewhere safe. I bet around 2% of people bother to do that.

Re:Great

[Ksevio]

Just turn on 2FA for your Google account. It's really easy, there's even an app you can use and....wait a minute!

Re: Great

[ArmoredDragon]

I think Google fundamentally doesn't understand 2FA. They don't even appear to support CTAP2 on any single one of their products, just old CTAP1, even though CTAP2 has been a thing for three years now. No resident key support, no pin support. Doesn't seem like they will support it any time soon either. People have been asking for it and Google's responses have been either totally silent or totally dumbfounded thus far.

Re:

[denbesten]

Just turn on 2FA for your Google account. It's really easy, there's even an app you can use and....wait a minute!

You laugh, but I do precisely that with my 2FA provider. The trick is that I have a printed copy of the QR code stored in my physical safe, along with a whole bunch of other "recovery" information and instructions for my next-of-kin.

Re:

[Pinky's Brain]

The point is to have multiple devices, the cloud is just an intermediary.

Re:

[dskoll]

I do have my TOTP secrets stored on multiple devices, without using the cloud as an intermediary. Unfortunately, Google has no incentive to make that convenient.

Re:

[dskoll]

And no, exporting using QR codes is not convenient when the device doing the import barfs on QR codes with more than about 5 TOTP secrets in them.

Re:

[Shaitan]

No, the cloud is a central storage point within third party control. In security we call this a MITM (man in the middle) and it is considered a form of attack.

Re:

[AmiMoJo]

It will probably get integrated into Chrome at some point. Optional of course, but for most people who don't use 2FA at all it's still an improvement.

When doing security on this scale your always have to remember that even the smallest bit of friction will put off most users, and as you note most probably don't have their backup codes to hand.

Naturally you don't use Google Authenticator anyway.

Re:

[Shaitan]

"for most people who don't use 2FA at all it's still an improvement"

No it isn't. It is a MITM attack that creates the ILLUSION of an improvement, that is worse than not having 2FA because someone who lacks 2FA (is that anyone anymore? It is mandatory for just about everything.) will realize their lack when they do become aware of it at some point. Someone with this turned on will be lulled into a sense of security while having completely compromised themselves.

Re:

[AmiMoJo]

Having to create a MITM attack, in an age where Chrome enforces HTTPS connections to websites by default, is far from trivial. Chrome has decent phishing protection too, and if the code generator was built in it could verify the domain and certificate of the site before handing the code over.

Re:

[jsonn]

So you expect that no random secret US court will ever order Google to attack the 2FA mechanisms of a Persona Non Grata? Like maybe some who leaked proof of more US war crimes?

Re:

[AmiMoJo]

You expect people at risk from the US government to be storing their secrets in a Google account?

Re:

[jsonn]

First, people are stupid. Second, not everyone knows in advance when the US government decides they are a risk. You could be a well paid Airbus engineer for example and Boeing needs some help again...

Re:

[AmiMoJo]

So just in case someone who should know better has a Google account, everyone should suffer worse security.

Re:

[Shaitan]

You have this backwards... this change results in less security not more. Everyone with an Android device has a google account. Apple already uses known and intentionally vulnerable cloud storage for data at rest to provide a government back door. So they are screwed on any major platform under that notion but at least their keys were in secure storage on their client device on android... until now.

Re:

[Shaitan]

Well the users of google authenticator DIDN'T choose to store their secrets in a Google account. Google is changing the behavior and stealing their keys without consent.

Re:

[Shaitan]

Or for that matter a foreign court. Google operates in many nations and could be compelled and gagged by a Chinese court.

Re:

[Shaitan]

Having to create a MITM attack? Google is the MITM here. They are accomplishing it with an app update. Your app automatically updates and uploads your keys to Google without your consent.

Re:

[Shaitan]

"So now if someone compromises your Google account, they can access your 2FA codes for other non-Google accounts."

Yeah, someone like... I don't know... GOOGLE. The only ones praising this move are the ignorant and agencies who oppose the spread of end-to-end encryption.

Re:

[NotEmmanuelGoldstein]

... copied your emergency codes somewhere safe.

AndOTP [f-droid.org] can make an encrypted copy of the 2FA secrets on the local drive (which then needs to saved off-device).

I bet around 2% of people bother to do that.

Your digital life (passwords, security questions/answers, password-recovery email addresses, 2FA secrets, product keys) must be backed-up but nobody teaches this and despite the 'you need this' warning of online web-sites, people rarely think of the problem of lost authentication data.

Re:

[thegarbz]

I bet around 2% of people bother to do that.

That's why I don't have any backups. They don't help or do anything since so few people use backups there's clearly no point in the entire concept.

huh?

[PubJeezy]

I don't understand how this is considered an upgrade. Unless I'm misunderstanding something, it seems like they turned their 2FA into 1FA. The whole idea is that you're supposed to demonstrate control of something in addition to your account info in order to verify your activity. The idea being that you're less likely to lose your phone AND your login info. But if 2FA code is now accessible from the account itself, without needing my secondary device, isn't that just 1 factor?

Re: huh?

[Kelxin]

Yes, this is a major security downgrade.

Re:

[bn-7bc]

Yea it is, but it is a convenience upgrade firvwhen things gintits up with the primary 2fa device, an we all know what whins wjug Joe and Jane public, and it ain't security. I'm shoresou van turn if cloyd sync if you don't want it

Re:

[bn-7bc]

Yea I should have expressed this better, ir was not intended as a troll, but oh well with all my typos it certainly apeted that way so fair enugh

Re:

[jalvarez13]

I just opened it on my iPhone and chose "use Authenticator without an account". Problem solved?

Re:

[Xenx]

But if 2FA code is now accessible from the account itself, without needing my secondary device, isn't that just 1 factor?

It's no better/worse than any other cloud service. For someone to get access to the stored 2FA data, they would need to either have already compromised your account or compromised Google. Either way, your account already isn't safe. That isn't an endorsement, just pointing out how it's not relevant in that context.

Re:

[dskoll]

Many people store non-Google TOTP secrets in Google Authenticator, and may not want them shared to Google. This should definitely be an opt-in feature, but it sounds like it's not and that there's no way to opt out, either.

Re:

[Xenx]

Yes, but that is a separate concern from the one I replied to.

Re:

[dskoll]

It's not really a separate concern. It makes breaking into a Google account just a little bit more attractive to an attacker.

Re:

[Xenx]

It really is a separate concern, as the risk they were putting forth was that the 2FA for Google would be saved in the 2FA store on Google and thus not make it a true 2FA. My point was that if they gained access to your 2FA store, they already have access to your account and thus the concern is moot.

Re:

[Shaitan]

Even if it were opt-out the client would have likely already transferred the credentials before you opt out rendering them compromised. They just turned Google authenticator into a trojan.

Re:

[Shaitan]

"or compromised Google"

Or be Google or legally compel Google under a gag order... including doing so in authoritarian regimes like China. Google authenticator facilitates 2FA for third party services, this could even include unrelated government services in some cases.

Thanks but no thanks.

Re:

[Xenx]

Those concerns aren't unique to Google. I'm not suggesting this is a good change, I'm only refuting the claim that this makes the Google account itself less secure. Anyone that has access, by any means, to the stored 2FA data on Google wouldn't need the 2FA since they already have access.

Re:

[Shaitan]

It absolutely makes it less secure. This means an attacker need only gain brief access to the account to have ongoing access in a manner that does not raise any alarms to the legitimate user.

Re:

[Xenx]

I lack the nuance to explain it differently, to get my point across. If they've gotten that far, your account is already screwed, regardless of it containing your Google 2FA. They wouldn't NEED the 2FA at that stage, and would raise just as many/few alarms after that point.

Re:

[Xenx]

I never suggested otherwise. The person I replied to solely referred to the account in question, I replied in kind.

Re:

[Shaitan]

You are failing to understand the nuance. It is not necessarily true that your account is screwed if an attacker has gained access... they might need subsequent or ongoing access for whatever they have planned. The most popular google application which requires an account is gmail.

Using a gmail account as a stage to hijack and maintain accounts on other services is an example of a common attack which requires ongoing access for password resets and other activities. HIjacking a session or compromising a pass

Re:

[Xenx]

You don't seem to be understanding the nuance. Nothing you said there is news to me. That still doesn't change what I am saying any.

Re:

[Shaitan]

What nuance is that? You claimed this didn't make the google/gmail account less secure because someone would still have gotten in momentarily to exploit it. I've just pointed out a tangible difference in account security of the google account itself.

Perhaps you only meant the initial compromise still requires the 2FA... but that isn't true either. An attacker no longer needs to compromise the users 2FA at any point, if they jack a session they can get in and steal the 2FA keys which they couldn't do before.

Re:

[Xenx]

I fully understand what you're saying, and nothing you've said negates my original point. I clearly defined the scope of my original response. I've never once said this is a good change, or that there aren't other security risks. It, however, does not inherently make the Google account itself less secure. You have provided security risks, but none of them actually prove that wrong. If you still fail to understand that, there is no point in continuing this conversation.

Re:

[Shaitan]

"It, however, does not inherently make the Google account itself less secure. You have provided security risks [for the Google account, caused by this change], but none of them actually prove that wrong."

This is nonsensical position. To secure is to reduce risk and the inverse is to increase it. You can not both have increased risk to the Google account and be equally secure. At least not without some a reduction of some other risk to balance the matter and there is no security gain here.

Re:

[Xenx]

[for the Google account, caused by this change]

Those are words you added yourself, and not ones I agree with. I don't appreciate people putting words in my mouth. So, at this point, I have to say shove off.

Re:

[Shaitan]

Are you trying to get cute? Yes, that is what it means when square brackets are in a quote, a correction or addition of context. Enabling ongoing access to the Google account and continued exploitation thereof is ongoing risk to the same. Fact, this change reduces the security of the account itself while providing no security benefit.

The additional point that this is essentially nothing but a scheme for Google to perform unauthorized systems access and steal your keys is the more important issue but a seper

Re:

[Xenx]

Square brackets are meant to be for clarify meaning or provide explanation. They are not meant to change the meaning of what you quoted, which is how you used them. So, clearly, someone is trying to be "cute".. and it's not me. Pull your head out of your ass and move on you fucking troll.

Re:

[Xenx]

I just want to clarify. Your disregard frustrated me, and I got snappy. I still stand by my point that you did in fact put words in my mouth by the way you misused the brackets. I do believe you should move on, because this isn't going anywhere. When I called you a troll, I was referring to your latest behavior. I liken it to calling someone an idiot, vs saying they did something idiotic. I don't believe it's fair to have called you a troll outright, but I do believe your behavior was befitting.

Re:

[Pinky's Brain]

The point is to allow you to get a tertiary device which acts as your secondary device for authentication.

The 2FA sync isn't accessible from the account if you haven't authenticated.

Re:

[Immerman]

That's what I'm hearing as well.

Which is absolutely par for the cours when it comes to security. Everyone wants security, until it becomes mildly inconvenient, at which point some way to work around the security becomes popular (e.g. passwords on post-it notes next to the "secured" copy machine).

I predict this trend will continue until we all routinely bypass at *least* four levels of security on a regular basis, and someone finally realizes that they can get almost as much security much cheaper by using a

Re:

[phantomfive]

If you don't have 2fa for your 2fa device, are you even trying?

Re:

[phantomfive]

Unless I'm misunderstanding something, it seems like they turned their 2FA into 1FA.

You should be aware that Google has recently done that all across the web. They have enabled "log in with Google" on many sites, without your permission or interaction. If someone gains control of your email account, they can log into anything.

Re:

[thegarbz]

it seems like they turned their 2FA into 1FA.

You're misunderstanding it. It's still 2FA, except that second factor is virtualised on a cloud service instead of being a device in your pocket connected to at same cloud.

Superior alternative to Google Authenticator

[dskoll]

A little bit of searching led me to Aegis Authenticator [getaegis.app] which IMO is superior to Google Authenticator.

1. You can encrypt your secrets file with a master password.
2. You can back up your secrets file, but doing so is optional and you get to decide where you want it backed up to. That can include Google Drive if you want, but doesn't have to.
3. The code is open-source (GPLv3 license.)

I'm not affiliated with Aegis in any way... I just like the looks of the app.

Re: Superior alternative to Google Authenticator

[Kelxin]

Need more people to mod this the hell up.

Re:

[craigtp]

I've been using Authenticator Pro for quite some time now on my Android phone. Also a great alternative to Google Authenticator and has the same features detailed above of Aegis Authenticator.

https://github.com/jamie-mh/Au... [github.com]

Not affiliated with the application or the author, just a satisfied user.

Seriously?

[boulat]

You guys still using anything by Google?

I pity the fool

Push notifications is what I would like

[linuxguy]

With something like Duo, I get an MFA notification on my watch. I confirm in one-step and done. Last time I used Google Authenticator, it could not do push notifications. I had to unlock my phone, open up the app, make a note of the code and manually enter that in on my computer. That is too many steps.

Re:

[Voyager529]

With something like Duo, I get an MFA notification on my watch... Last time I used Google Authenticator, it could not do push notifications...

Of course not. They're separate types of 2FA.

Duo involves a client application telling Duo's infrastructure to send that push request to your watch. It's fantastic; I've deployed it for more clients than any other 2FA system...but it's still dependent on Duo specifically.

Google Authenticator (and MS Authenticator and Authy and Aegis and FreeOTP and...) use a private key and the current time and some really complicated math to generate those six digit codes.

Each system has some pros and cons. Duo is great be

Re:

[linuxguy]

MS Authenticator can and does push notifications, unlike Google Authenticator. At this time it appears to be limited to Microsoft apps for push notifications however.

I should uninstall it then

[peppepz]

The point of 2FA is that the second factor shouldn't be replicable. This "update" degrades Google Authenticator's suitability as a 2FA app. Moreover, it looks like the synchronization to Google's servers will start automatically, without an opt-in. This means that with this update Google employees invited themselves into the position of being theoretically able to access, say, one's bank account, without bothering to ask whether he or she agreed to that. This is unacceptable.

Re:

[Stonefish]

The short answer is yes.
This does impact the security of your authenticator.
It may be more convenient however it is convenience at the cost of security. Your secret is now shared with google and any other device which can authenticate with google.

Re:

[peppepz]

UPDATE: the new version of the app has arrived and in fact there is no automatic upload of one's TOTP secrets to his or her Google account. You have to opt in. This is reasonable, the paranoia in my post should be disregarded.

data theft

[awwshit]

So Google can steal my security info and share it with Governments that demand it? No.

Re: data theft

[rrab]

This a hundred times. Uninstalling now, shame on me for still having that app on my otherwise degoogled device.

Can I export it to a CSV file? If not? pass.

[ctilsie242]

One of my core items on my 2FA app punch list is the ability to export the list of shared secrets to a CSV, JSON, or other plain text file, so I can import them somewhere else, even if I have to manually copy/paste them, write a script to pull out the values and throw them into a format grokkable by a new PW manager, or use another script to convert the 2FA key value into a QR code for import somewhere else. Without the ability to export, I won't use the program.

I also want known good encryption for the 2F

Re:

[gweihir]

You can export to QR-Code and scan that to get a string. You can also get the string directly. Works for a number of secrets at once.

/Me Deletes Google Authenticator

[ewhac]

...There are no nice, genteel words for the "decision process" that spurred this change. This is straight-up congenital brain damage. I guaran-fscking-tee you that all bugs filed against this change were closed with the sniffy, "NOTABUG: Working as designed."

Google Authenticator was correctly designed from the outset. You do not create a single target for adversaries to attack. You distribute the secrets and ideally isolate them so that adversaries have to compromise thousands of systems instead of ju

Malicious change

[Todd Knarr]

I have to consider this change malicious. It deliberately allows access to the 2FA secrets when the whole point of 2FA is that nobody but the owner has access to them. The correct way to handle transferring secrets is how GA already did it: generate QR codes containing the secret database and scan them in on the new device. No need for the cloud at all. The only thing lacking would be the ability to export an encrypted copy of the database so it could be backed up locally in the event of the device failing

Re:

[gweihir]

Indeed. I guess I will very much _not_ update the app and make sure it does not have any network permissions. Might also move to an alternative that does not have this "feature" or where I can depend on it being off unless I gave explicite permission. My trust in Google is non-existent these days.

Asd to backup, I have a backup on an old kindle-fire which is permanently in airplane mode and a 2nd one on an old android phone without SIM-card which also is in airplane mode and usually off. That is quite enough

I tried using a u2f key with a Google account...

[the-so-called-jrh]

... there was no option to make it mandatory for all access to the account, and Google preferred to entrust the account to a cellphone provider.

Stupid idea

[zagfai]

Make it meaningless...

I'm probably confused

[Rhaize]

Something you have... I don't really think I can say I "have" the cloud..

Exfiltrate

[bill_mcgonigle]

> your codes will automatically be exfiltrated

TFTFY

Holy crap are opsec teams panicking today!

Use Aegis for standalone anyway.

Don't panic - you CAN turn off BEFORE it syncs

[peterw]

I just updated my iPhone app. Next time I launched it, a splash screen encouraged me to log in to my Google Account, but offered a link to use Authenticator without a Google account. There's a slashed-through cloud icon at the top of my screen. When I tap it the app notes "Your codes are not being saved to your Google Account".