Yeah that's the problem - TOTP with a basic app is pretty easy to use, but making sure you're protected from a phone suddenly lost or broken scenario is tougher, and you may not know you need to do it until it's too late. How many people actually store those backup codes properly or go to the trouble to use a third-party app that supports backups and actually do backups?
Wouldn't most people just use Google Authenticator and have it automagically back up to google's nigh unlimited storage space?
Obviously not something anyone who respects their privacy would subject themselves to, but it seems to me like the easy path leads to these things being backed up.
Obviously if google has your 2FA keys and you were using 2FA keys to log into your google account then you would need to recover your account, but you would be stuck in the same situation as if you had damaged/lost your SIM (e.g. if you lose your phone).
Google Authenticator does not back up TOTP state to Google. In fact, AFAIK, the app does not talk to the internet, at all, much less does it associated with a Google account.
You can transfer your Google Authenticator state to another phone. This is accomplished through scanning QR codes -- no data is transferred over a network. This is a relatively new feature; for many years, Google Authenticator refused to provide any way to extract the authenticator state from the phone at all. You literally had to root your phone to get the state out.
It's designed this way because if your TOTP state were backed up to your Google account then it would no longer provide any additional security over Chrome's password manager, which is also backed up to Google. The two factors in "two factor" are supposed to be "something you know" (password) and "something you have" (phone, or security key). In order for the authenticator app to really be "something you have", it has to be hard to copy.
> It's designed this way
Its a bad design then :) . I dropped gauthenticator years ago because of the ridiculously user unfriendly inability to transfer/backup auth codes. What a braindead UX assumption. If you pursue security purity too far, people just wont use it.
You can transfer the state between phones now, they relented on that (a good thing, IMO).
Again, if you want auto backup to the cloud then you might as well just not use 2FA and rely on your password manager alone.
Personally I use hard keys wherever possible. Much better UX (and security) than any authenticator app. Just have to buy and register a few of them so you have backups if one breaks.
I'm a programmer and when I was told to store backup codes, I saw the site still has a "Forgot Password?" button so I dismissed it as a QUICK way to recovery, Not the ONLY way!
The only one who told me losing backup codes means losing your data forever was my bitcoin wallet. (Ironic)
