[obarthelemy]

I'm not really in favor of putting 2FA codes in the Cloud, see that password manager that got hacked a few months ago. Granted, we can expect better from Google, but still, they're not accepting any liability.

Google Authenticator already has a QR-Code based very easy export procedure, I just backup my GAuth to my spare phone and tablet. It feels safer because it's physical.

Of course, not everyone has several devices, and physical security is not granted to everyone. I guess cloud-backedup 2FA is better than no 2FA, or than 2FA with no backup at all. But... Cloud ? for security stuff ?

[notfed]

I think rest assured your backups will be encrypted-by-password.

Though, I often find myself wondering if this represents going in circles with security. If the security surface of all of your 2FA keys now reduce to one measly password, well, wait a second, does protecting everything with two passwords count as 2FA?

[obarthelemy]

"encrypted by password" doesn't mean much by itself: is the whole security chain open source ? audited by a third party ? as well as any changes ? Secured by the provider accepting responsibility for breaches and their consequences ? ...

Employees down to subcontractor's trainees can modify the code or pwd store... FYI, the industry standard for "risk of corruption" is: 3 months of wages. In low-pay countries, this means, literally, pocket change. How sure are you that whatever Google does is impervious to such insider bad actors, even if at a specific time their setup was indeed secure ?

[notfed]

Looks like I was wrong, not password-protected. Oops.

[ris]

This. For me a TOTP app/tool will only ever output codes. If it offers to let me do anything else with the key, it's a no-go.

[bombolo]

So what do you do when your phone falls down and breaks?

[ris]

Account recovery codes & other means of backup authentication until I can generate new MFA tokens. It's really not a big deal, whereas it looks like the next big cloud hack will be.

[obarthelemy]

I take my previous phone out of its drawer. Or my tablet.

[bombolo]

Very funny. But how do you login into things without the otp seed?

[iavael]

Use another device with _another_ seed (since this is auth factor of ownership you must not share seed between multiple devices just like pki private keys and pgp keys). Or if you don't have backup otp generator then use backup codes.

[obarthelemy]

It's standalone 2FA, not a paswword manager. There's no seed.

[bombolo]

Oooooh, you don't understand how google authenticator works!