[hsbauauvhabzb]

Google Authenticator decided to nuke all my existing MFA tokens during a recent update/refresh of their app.

I can tell you to sort your redundancy now, it’s much easier than later.

I can also tell you to avoid google tooling, they seem completely disinterested in support and more interested in market share.

Google can go to hell for the time / account access I lost, fuck them.

[Nathan2055]

I stopped trusting Google Authenticator several years ago when I realized it had no syncing, backup, or even device transfer functionality whatsoever. A quick test made me realize that if anything happened to my device, I would just lose all of my 2FA keys with no way to recover them. I also then realized that if anything happened to the app (which apparently has a couple of times throughout its existence), I’d have the same problem.

I migrated to Authy because it at least has syncing and backup functionality. Sure, it’s less secure, and I should probably self-host somehow for the best security/stability assurances, but Authy seems to work pretty well for what I need it for.

[password4321]

Google Authenticator has supported manual device transfer for some time via QR code.

You can decode these application-specific QR codes for backup or transfer purposes using a third-party tool: https://github.com/scito/extract_otp_secrets

[davchana]

As long as one keeps the original string and or qr code safe (in a separate password database), TOTP can be put in multiple devices, is backed up & will not get locked out of accounts. But also, at the same time, none of the MFA setup flows on any website tells user to keep "this" string safe. Once that string is gone, there is no way to recover it.

I have a printed sheet with all those strings and their account names in my own memorized encoded form (like rot13). Plus my main phone, my backup phone, my tablet, all of them have same app & codes (all devices have fingerprint & pattern locks).

[szasamasa]

it is now can be synced and backed up in your google account which you can tie to your real identity with your phone number and telecom company where you can have a contract... in addition, you can have a 10$ android phone that barely moves (or your old phone) sync to your google account, get the authenticator codes, battery 77%, phone has pin, and shut it down and put in in your drawer/fireproof safe... is it better to back your secrets up on paper? why do you have to see your secrets?

[isaacremuant]

> can also tell you to avoid google tooling, they seem completely disinterested in support and more interested in market share

It's been the case for ages. They show absolute disregard for the unique users. All they care about is their pseudo monopolized aggregates.

[szasamasa]

then use microsoft authenticator or bitwarden

[isaacremuant]

Why are you under the impression that I'm not?

You may need to pay more attention to what you read, the context and the users before writing.

[szasamasa]

I was under no impression whatsoever. I said if you hate google you have alternatives. Google bashing is lame. I am sure if you have a 10 dollar phone logged in to your google account at home, offline, you never lose your 2fa codes. But hey, arent they just a long key you can import anywhere via QR-code? If you do not trust or you are one of those mysterious people who lose access to the Google account (illegal activities?) then make a copy. All I said was it is irritating this google bashing.

[djbusby]

Is it possible to DIY these things? Or a FOSS app on my phone?

[projektfu]

F-Droid has a number of apps.

KeePassDX (also on F-Droid) also supports TOTP, as does KeePass 2.0 on desktop, if you're comfortable keeping it with your password manager.

PyOTP contains plenty of information about how to implement an authenticator app.

https://pyauth.github.io/pyotp/

[mort96]

I would avoid anything KeePass, simply because it seems like an absolute mess of forks. How do you know which KeePass* to use? How do you know the one you pick won't be superceeded by another fork in 2 weeks? Why does the world need KeePass, KeePassX, KeePassXC, KeePassDX and KeePass 2?

[projektfu]

The original, KeePass 2, is quite good. The prior version is only for the old database format. The nice thing about it is you can automate sync in many ways, and it has plug-ins that do lots. Every other tool uses KeePass 2 databases.

I used KeePassXC but it didn't sync like I wanted using syncthing. Other synch stories probably work better, like Dropbox.

Kee is the browser extension I use and it's pretty good. They also have a sync service you can buy, but it's free to use with KeePass 2. I liked it better than the extension that's compatible with KeePassXC.

KeePassDX is pretty great. It's working well with my setup, especially using Brave as I avoid Chrome. Incidentally, I think recent Chrome updates have complicated things for password managers on Android but alternative browsers work great. I use it with a longer timeout to lock the database than the default.

I think KeePassX is superceded by KeePassXC.

So, if you ignore most of the other forks, you don't need much analysis paralysis, and everything works well.

For iOS, it's hard to find FLOS solutions but there are paid apps that are supposed to work well to integrate with KeePass 2 databases.

[wkat4242]

Google authenticator, yes. I use andOTP which is great. I think it's no longer being updated but there's many alternatives too.

For passkeys I haven't seen a full open source implementation that actually works. Some parties like bitwarden promise it but aren't finished afaik.

[5e92cb50239222b]

JFYI, Aegis is a decent and maintained FOSS replacement for AndOTP and can import backups from the latter (in case it ever stops working).

[wkat4242]

Oh yeah that's the one I was thinking of.

However it lacks the ability to GPG export using OpenKeyChain which is why I went back to AndOTP.

[5e92cb50239222b]

https://lwn.net/Articles/925870

[DropInIn]

Ah is that why I couldn't log in to so many important things for which google sso was effectively forced on me?

[password4321]

I was upset Google Authenticator auto-updated somehow even though I specifically try to prevent that.

[glandium]

Recently, I thought it had been forcefully uninstalled somehow and that I had lost everything (well, I have a backup plan, but still...). Turns out, it changed name AND logo... so I "just" couldn't find it at its usual location, and had a hard time finding it entirely.

[szasamasa]

search in apps with name: authenticator

[hsbauauvhabzb]

This feels a bit like user blaming. Imagine someone getting to the office and getting annoyed at you because they changed their name, didn’t tell you, and you used the wrong name. You could have looked them up in the corporate directory, but you don’t know what their new name is and their previous name is no longer listed.

Communication was poor, mobile OS’s should probably account for this (if for nothing else to prevent major functionality pivots / spam ware) etc. parents displeasure and me losing all my mfa tokes feels like a total rug pull by google, a pattern they are known for (sure, fool me twice, shame on me - but I never expected their mfa Token app to delete all my tokens).

[szasamasa]

user blaming has oftentimes some truth in it :)

i can really not imagine those fuckups you always write about with google

somewhat irritating... is it true, is it not, are you google hater bot, are you not? :D

the 2fa codes are backed up in google account now, no way you lose them

before, it is basic to have them on 2 different devices at least...

i dont understand how it is possible to lose them

[glandium]

Fun fact: the name of the app did not include "authenticator" before the rename. Because guess what, my Android phone is not in English. So the name was the localized version of "Google Authenticator" (I think it was Google認証). Now it's "Authenticator". No "Google", and not localized, and, obviously, not at the same place while sorted with everything else. And not the same icon.

[szasamasa]

you are then right sorry I could not imagine such a fuckup :)