[dangero]

Tangent, but the article mentions using Google Authenticator -- I was going to start using that recently, but the reviews indicated it had some really big problems with restoring when you get a new phone etc and Google isn't really maintaining it. https://itunes.apple.com/us/app/google-authenticator/id38849...

Can anyone comment on their 2fa approach to google?

[_mcdougle]

Always save the keys (or the scanner code) whenever you add them to Authenticator. Then, when you get a new phone (or whatever) you can just re-import the keys.

[koolba]

It's pretty stupid that Google doesn't allow for any way of getting the keys out of it's 2FA app. Your only transition path is backup/restoring an entire device to a newer one of the same OS.

There's no direct path to migrate from say an iPhone to an Android based phone without manually adding each 2FA entry to the new device.

[jamesgeck0]

> Your only transition path is backup/restoring an entire device to a newer one of the same OS.

This isn't an option on iOS! When I bought an iPhone a year and a half ago, the 2FA keys were not included in my iTunes device backup, even through backup encryption was turned on. I had to manually create new keys for all seven sites I use Google Authenticator with.

[koolba]

They're definitely included as I've done it a number of times. I'm going to wager you don't have your iTunes set up to backup apps from your phone. I think there's a separate check box you have to click once to enable it.

[dunham]

The secrets are in the keychain, which is backed up.

Google Authenticator used to store its secrets in the devices keychain as available "while unlocked". This allows them to be stored in the backup in a way that can be transferred to a new device - if you use an encrypted backup. It also makes it possible to extract the keys if you know the backup password. (I have code that does this, inspired by the old "iphone-dataprotection" codebase on google code.)

Google Authenticator now (last I checked) marks its keychain entries as "This device only" - this still allows backup/restore, but only to the same device. They are wrapped by a key only available on that specific device (the 0x835 key - you used to be able to extract it on a jailbroken device, but I'm not sure that's possible anymore).

It's possible you have grandfathered entries or even an old version of Authenticator. But I no longer see entries for "CLNPY5GLN9.com.google.Authenticator" in my decrypted keychain, so it must have migrated my old entries. Before my phone dies, I need to go through all of mine and make sure I've got a backup or regenerate the ones I'm missing. (I have old snapshots of decrypted keychains.)

[asddddd]

If you have a rooted phone, there is another option: copying off the sqlite database. At that point you can generate QR codes with a tool like WinAuth. Bit of a pain, but very doable (if you rooted your phone.)

Bypassing this with Authy is generally a better idea.

[mrrsm]

I think they do this to make it harder for an exploit to just run the command to get the keys. I'm torn whether I think this is really an issue or not though. From a security standpoint it is one less attack vector to get my 2nd factor keys. From a usability standpoint it is annoying when I switch devices. I personally solved this problem by storing my two factor auths on my yubikey neo which is a bit more portable. I don't think there is a way to get the keys off of there either but at least the key itself is portable and works with Android and all my desktops/laptops. I am not sure if they ever figured out iPhones though.

[dangero]

I agree this is SHOCKINGLY not consumer ready. Considering all the shaming I see every hack about 2fa I expected it to be pretty streamlined.

[ocdtrekkie]

As an additional note: I strongly recommend storing these keys securely offline. With these keys someone can replicate your 2FA generator, so you really want it not hackable.

Paper in a fireproof safe is excellent for these sorts of things, or a safety deposit box.

[eridius]

Google Authenticator is really just TOTP. My preferred approach is to use 1Password, which handles TOTP codes just fine.

[scrollaway]

On Android, I use FreeOTP; I can make backups with `adb`.

Separately, I use KeepassXC (https://keepassxc.org) and store all my 2fa seeds in a dedicated (separate) 2fa database which I keep locked. You can also keep it in the same database as your password db if you want to trade the 2nd factor for convenience but still get the added benefit of one time passwords.

[philsnow]

> I can make backups with `adb`

does it follow that an attacker can make a "backup" of your 2fa codes as well, if they get ahold of your phone for a minute or two?

[scrollaway]

Physical device access is where this kind of security ends. If someone stealing your phone just to get your 2fa codes is a threat vector for you, you should be using different/additional factors.

In any event, as was pointed out, adb needs usb debugging turned on, which needs the device unlocked to be enabled.

[veeti]

You need to authorize each adb key on the phone, so a screen lock prevents this.

[craftyguy]

No, because you can (and should) disable usb connectivity/debugging.

[morley]

I personally use Authy, and it's survived several migrations to new phones.

[notheguyouthink]

I always (usually) get a copy of the string token when adding a "google" 2fa. I store this in a password manager.

This allows me to have more confidence in recovery, as well as adding more devices, etc.

[nickik]

Additionally to the other suggestion I can recommend using a Yubikey with NFC together with the Yubico Authenticator. You can easily move between devices.

[mwj]

Authenticator Plus. It's a paid product, but allows me to sync my TOTP tokens to my Google drive account, so I'll never have that problem again.

[valj]

I just changed phones and found this really simple. You can just store a phone number with Google and receive an SMS key if you forgot to print off a key before changing phones.

Everything seems to be working pretty well for me and I noticed improvements since last using the app 1+ years ago, but obviously can't guarantee it's still being updated.

[koolba]

That might work with Google itself but TOTP based 2FA codes aren't specific to Google. They can be used out of band by anyone and the SMS approach wouldn't apply to anybody else.

[valj]

Ahh yes - excellent point.

[badloginagain]

I thought Google Authenticator was not recommended, and that Google was fully backing 'Duo'