[sneak]

The most common 2FA mobile app that isn’t a password manager is Google Authenticator.

Google Authenticator doesn’t export the seeds or store the seeds in the device backup, or sync them, so when you lose or upgrade that phone, you lose all your TOTP. This is bad.

Also, TOTP in general is bad, because it is easily phished, just like passwords. Using a password manager to store TOTP cuts down on phishing risk as it won’t input them into the wrong domain site. Copying them manually from a different app is still vulnerable to phishing.

[doodlesdev]

> Google Authenticator doesn’t export the seeds or store the seeds in the device backup, or sync them, so when you lose or upgrade that phone, you lose all your TOTP. This is bad.

Not true anymore. [0]

[0]: https://www.theverge.com/2023/4/24/23696058/google-authentic...

[Scion9066]

Google Authenticator does support exporting and syncing now:

https://security.googleblog.com/2023/04/google-authenticator...

[pwg]

FreeOTP+, available on FDroid [1] provides for import/export of one's stored codes.

The problem with "phishing" is not the technology. Phishing is 100% a human issue and no matter what tech. you might use, those humans vulnerable to being phished will find a way to be phished.

[1] https://f-droid.org/en/packages/org.liberty.android.freeotpp...

[BenjiWiebe]

What would be the way to phish someone who has a hardware security key that they have to touch?

[ww520]

For Google Authenticator, you can do an export for device migration. Once it shows the QR code image, snap it and then abort the migration. Back up the QR code for later restoration.