PSA: Google Authenticator Now Supports 2FA Backup Using Your Google Account

Twix on 25/04/2023 - 10:14
Last edited 27/04/2023 - 22:57

PSA for those that still use Google Authenticator.

We are excited to announce an update to Google Authenticator, across both iOS and Android, which adds the ability to safely backup your one-time codes (also known as one-time passwords or OTPs) to your Google Account.

One major piece of feedback we’ve heard from users over the years was the complexity in dealing with lost or stolen devices that had Google Authenticator installed. Since one time codes in Authenticator were only stored on a single device, a loss of that device meant that users lost their ability to sign in to any service on which they’d set up 2FA using Authenticator.

To try the new Authenticator with Google Account synchronization, simply update the app and follow the prompts.

Google Authenticator now supports Google Account synchronization

Don't forget to setup Google account single-use backup codes.

Edit: Google is not using End-to-End Encryption. It will be added later on.

PSA: Google Authenticator's Cloud-Synced 2FA Codes Aren't End-to-End Encrypted

Computing Software

Related Stores

Google
Google

Comments

  • ozbs25 on 25/04/2023 - 10:38
    +1

    Can't see any update yet.

  • rekke on 25/04/2023 - 10:38
    +8

    Already moved everything to Authy due to this exact reason, not sure how it wasn't a feature to begin with.

    Also, might not be the most robust design if you have your primary email identity (with the most sign-up and online website exposure) to also hold all of your 2FA keys, I like the ability to isolate these to another platform (i.e. if you get locked out of Gmail you lose everything), versus having all the eggs in one basket.

    • ozbs25 on 25/04/2023 - 11:38

      How long did it take you to move over? Did you do it all in one go or just change them one at a time when you visit that particular site?

      • rekke on 25/04/2023 - 11:56

        I did it all in one go, the aim was to not only migrate from Google Authenticator > Authy (and backup the 2FA key elsewhere at the same time), but also where possible remove SMS MFA and transfer it to an App MFA since this does not have the same risk of Sim Swap attacks.

        Took about a day but well worth it from a DR/security perspective since I was able to kill three birds with one stone. (Migrate, Backup 2FA, Remove SMS MFA)

        • ozbs25 on 25/04/2023 - 11:59

          I'll have to work up to it I guess. Don't know if I can do it all in one go especially right now.

        • fredblogs on 25/04/2023 - 12:53

          Does Google Auth have an advantage over Authy because you get a Yes/No prompt on Android phones instead of having to type in a number?

          • rekke on 25/04/2023 - 13:00

            @fredblogs: I have no idea, but that probably shouldn't have any impact on what your decision should be for a security and disaster recovery planning scenario in my opinion. I do have an Android but I use Authy across my PC, laptop and mobile.

          • notfrodo on 25/04/2023 - 13:51

            @fredblogs: No. They are separate means of auth. Depending on how risky the transaction is Google will either send a prompt or ask for a 2fa key. This only affects the 2fa part. Using Google auth for this doesnt have any inherent advantages.
            I agree with rekke - you really should isolate your 2fa account from the google one.

          • JumperC on 25/04/2023 - 17:31

            @fredblogs: The Yes/No prompts are less secure as they’re potentially open to MFA Fatigue attacks.

    • chartparker on 25/04/2023 - 13:04

      I was gonna say… this comes literally a week after I move both mine and wife's accounts over to Authy

      • yoquierotaco on 25/04/2023 - 13:09

        Authy is still better. If you have 1Password or Bitwarden you can back up your code as well. Bitwarden free only allows you to save the code, the paid version allows you generate it as well.

        • chartparker on 25/04/2023 - 13:41

          Backup which code sorry? I have both Authy and paid Bitwarden so this sounds like something I should look into

          • soan papdi on 25/04/2023 - 17:02

            @chartparker: When you enable 2FA for a service, look for the manual method instead of scaning the QR code. Paste the long string into Bitwarden's TOTP field for that service. Now it's synced just like your password and you can generate the TOTP from the phone or web browser. In fact it automatically copies the 6-digit code to clipboard so all you do is paste (phone app or browser)

            • rekke on 26/04/2023 - 10:47

              @soan papdi: Just be aware that this really does introduce a critical single point of failure for everything. There is an argument to say that your Password Manager should not also hold your 2FA keys since if you do become compromised then the malicious actor truly has access to everything. Compare that to if you have your 2FA keys isolated to a seperate platform like Authy, the accounts with 2FA sending accepting OTP tokens from Authy will not be compromised. Even if you have your Authy password stored in Bitwarden, they still need one of your physical devices to accept to be able to get into your Authy account.

              There is an argument to even have your MFA provider account details not stored in your password manager at all, so you effectively have two passwords that are stored offline to harden your security.

              • soan papdi on 26/04/2023 - 10:51

                @rekke: Getting someone non-technical to use bitwarden for passwords and authy/goog for TOTP is not going to fly. You're right about the SPOF but this is a compromise solution for me.

              • anthman on 26/04/2023 - 21:46

                @rekke: This is spot on, really need to keep 2FA and password manager separate otherwise the scenario described can play out.

                Painful but necessary if you want to go down the 2FA route and expect it's protection.

  • 7ekn00 on 25/04/2023 - 11:11
    +1

    Still no PC version that functions as a stable device, unlike Authy ;)

  • jace88 on 25/04/2023 - 14:41

    One of the reasons I moved to 1P.

Login or Join to leave a comment
Login Join