Hacker News new | ask | show | jobs
by luke3butler 3226 days ago
That's not Authy/Google Authenticator. That's social engineering their way into getting a persons text messages for SMS 2FA.
1 comments
chatmasta 3226 days ago
If you can compromise the iCloud account of an iOS user (pretty sure iOS 2fa is only SMS based), then you can install google authenticator on your own device.

I'm sure it's more complicated than that in reality, but if you have SMS access, you only need to find one weak link in the chain including iCloud/google, email provider, app provider, etc.

link
15155 3226 days ago
> install google authenticator on your own device.

You sure can, but will you then have the requisite TOTP secrets?

link
joosters 3225 days ago
No. iCloud backups don't contain keychains, where the Google authenticator stores its seeds.
link
chatmasta 3225 days ago
Doesn't iOS keep keychain synced with iCloud keychain? Or at least, it's user configurable. I'm pretty sure I opted out of it.

Good news is according to apple [0], you can protect your icloud keychain with a six digit code required to move the keychain to a new device.

[0] https://support.apple.com/en-us/HT204085

link