[allday]

Our onboarding docs specifically tell employees to NOT use Google Authenticator precisely because of this issue. I have no idea how Google let this fester for so long, literally if even one (1) person over there was using it and got a new phone, they should have known about the issue.

[apocalyptic0n3]

Yeah, same with my company. "DO NOT USE GOOGLE AUTHENTICATOR" is littered throughout our Intranet and onboarding docs in bold letters with recommendations for different options. And people still use it and lose their codes all the time.

Now it's tied to the Google Account which means it'll be tied to either their personal or work account and now we have to worry about personal account bans removing their 2FA or when they leave the company, our suspension process killing personal 2FA that were synced via the wrong account.

[davchana]

The best and safe way is to save qr codes and or strings to a seperate password database (I use keepass).

[nanidin]

The app has supported bulk QR code export and import for years. This makes it easy to transfer to a new phone, and relatively easy to make physical backups.

[hirsin]

Which only worked if you had both phones working at the same time... I'd bet a sizable portion of new phone enablements are due to losing the previous phone irrevocably.

[semiotic1]

When doing a factory reset because of whatever reason, this becomes an issue as well. You cannot take screenshots of the bulk export QR-Code on Android because of FLAG_SECURE, so you need to work around that and take a photo of the screen with a different device to import from later.

Also, as of last week, there existed an issue with special characters when trying to import and the app would just freeze or not recognize the QR code pattern at all, so you better had backups of all your secret keys.

Both issues made me switch to Aegis and appreciate my past self backing up the secrets with KeePassXC.

[Helmut10001]

I have long migrated to Aegis and it is pretty awesome. Backups. Copy & Paste. Encryption. Auto-upload to Nextcloud. Better Interface (with names!). etc.

[spear]

You'd save the QR code at the time you first used it on the old phone, and not wait for when you needed to transfer it.

For me, I'd usually be on the desktop when setting up 2FA anyway, so I'd just save the QR code from the desktop browser ("Save image as ..."). When I needed to set up a new phone, I'd open the saved image on the desktop and point my phone at the screen.

[hackmiester]

That's an absurd expectation. First of all, many users don't even have or use a computer. Of course, I personally do have one, but I'm often nowhere near one when I set up MFA on a new account. So then I guess I screenshot the QR code to my phone? But if I saved the image to my phone it gets stored in my photos backup anyway. Why would Authenticator not just back its own contents up, to that exact same spot, rather than me doing some crazy runaround that for some reason involves images?

[orev]

It’s completely outside the realm of reality to expect “normal” people to do this. Most tech people don’t even do it.

[eviks]

Why go through this trouble and risk forgetting and getting locked out when you can simply switch to a better app?

[nanidin]

The QR code encodes the actual secret data for the TOTP, so backing up the QR code is sufficient.

Screenshot -> Print is one backup method.

Screenshot -> Encrypt -> Save to secure location is another method.

[daydream]

Does that mean you need to take a new screenshot every time you add a new account?

[nanidin]

Yes, but for my threat model I avoid 2fa for accounts that don’t really need it so in practice I’m not adding accounts regularly.

[ClassyJacket]

Nope, you can't screenshot the page, so you can't save the code and can't send it to another phone. This means you can never trade in a phone for a new one and if your phone is lost or stolen you're locked out of all your accounts forever.

They actively added code to prevent you taking screenshots, which is insane but true.

[nanidin]

I'm on iOS and I'm able to screenshot the QR code with version 3.4.0 of the app. Maybe the screenshot lockdown is limited to Android?

In any case, if you're trying to create a backup there are other avenues of capturing the QR code - offline digital camera is probably the most secure way of doing so.

[WheatMillington]

What if I drop my phone into the lake and need a new phone?

[nanidin]

Well, hopefully you created a backup by storing a copy of the QR code somewhere :)

[hackmiester]

This literally happened to me and is the reason I no longer use Authenticator. Everything else on my entire phone restored, but not Authenticator.

[unethical_ban]

Interesting - but not good enough. For the threat model TOTP solves, it is not absurd to want Authy-like functionality where codes can be backed up, encrypted, to a cloud service OR like Authone (?) which allows you to export the data to a file.

[bobbylarrybobby]

Right, just like I can carry a thumb drive around with my files and manually sync between every computer I use. Or just use Dropbox...