Hacker News new | ask | show | jobs
by azinman2 2564 days ago
The problem lies in that Google Authenticator is tied to a device, so if you upgrade it or lose it, you’re f’d. I also doubt many use/print recovery codes, and if they do, good luck finding them 7 years later.

Overall the situation isn’t great.
6 comments
wccrawford 2564 days ago
I just went through this situation with a couple non-Google companies when I upgraded my phone, not realizing that their authentication info wouldn't transfer when Google transferred my data to the new phone. I thought I had double-checked that I had everything, but this got missed.

It was a pain for all of them, but it was worst for the ones that I had no other auth systems set up. (Or the ones that had my old phone number for SMS still, even though I thought I'd changed it everywhere.)

In the end, there's still no good system for real security. You're either stuck with a device you might lose (or someone might steal), or stuck with an account that you might cancel (or someone might steal). Or use biometrics which are just not ready for prime time.

link
retromario 2564 days ago
I encountered the similar problem the last time I upgraded. There are alternatives to Google Authenticator that offer backups and cloud syncs while maintaining security. andOTP on Android and OTP Auth on iOS. https://play.google.com/store/apps/details?id=org.shadowice.... https://apps.apple.com/us/app/otp-auth/id659877384
link
Shank 2564 days ago
> The problem lies in that Google Authenticator is tied to a device, so if you upgrade it or lose it, you’re f’d.

You can save the QR code that was used during setup to repeat the onboarding at any time. You can also use Authy, 1Password, or another service that lets you store the one-time password somewhere else. Or use U2F devices when possible.

link
hv42 2564 days ago
I would recommend saving the recovery codes in a password manager app (that is not your browser)
link
Tepix 2563 days ago
No, Google Authenticator is not tied to a device. It's a standard (TOTP, RFC 6238) and you just need to use an app (perhaps not Google Authenticator, I use a different app myself) that will let you see the numerical code that you need to save somewhere.
link
azinman2 2563 days ago
It’s tied to the device as in it won’t be part of your backup to a new phone.. you have to manually transfer it yourself which according to you is using another app!

So the likelihood of moving to a new phone without those codes transferred is very high. Not exactly an easy experience.

link
nomadluap 2564 days ago
I still have my Google Account recovery codes in my wallet that I first generated in 2011.
link
azinman2 2564 days ago
Better not lose your wallet!

When you’re at Google scale, all of these methods have real world flaws.

link