[tombrossman]

While this comes too late to help you right now, I recommend looking at running a 2FA app on your laptop or desktop like this - https://github.com/gbraad/gauth so that you are not in this situation again.

Either that or grab a cheap Android handset and use it as a backup. The standard 2FA app on Android needs nothing more than occasional network connectivity to keep the clock in sync. You don't even need a Google account, the app is on FDroid.

Cloudflare is huge and many of us rely on it, so I hope you can easily avoid this predicament in the future - good luck!

[pilif]

>I recommend looking at running a 2FA app on your laptop or desktop

I very strongly recommend against doing this: If you do that, you are giving up a lot of security provided by that second factor as the malware you are using 2FA to protect against now also has access to the keys used to create the 2FA token.

[tombrossman]

This is a fair point of course, but running it on a second laptop is probably more secure than running it as a mobile app. You wouldn't run it on the same machine you are pushing production code out from, it could be a personal laptop with no access to company systems. I didn't make this point clear in my original comment though.

[microtonal]

If you have malware, it can also act as a proxy requesting your codes and forwarding them (e.g. to disable 2FA). 2FA protects against password theft.

If your machine is compromised, it's over.

[hobarrera]

You're assuming the laptop has malware installed capable of pretty unrestricted access. At that point, all bets are off.

It can just forward code, relay cookies, etc. 2FA protects against someone peeking at your keyboard, or reused passwords, not malware.

[mdaniel]

the app is on FDroid

I recently learned that there is an authenticator in f-droid, but not the authenticator, if one reads the notes at the top of the f-droid listing: https://f-droid.org/repository/browse/?fdid=com.google.andro...

I don't even know what they would want to stick in the Play store's authenticator above the already open sourced functionality.

[scintill76]

"DISCLAIMER: This open source project allows you to download the code that powered version 2.21 of the application. Subsequent versions contain Google-specific workflows that are not part of the project."[0] The Play Store version is 2.49[1], but I also don't know what "Google-specific workflows" really entails.

[0] https://github.com/google/google-authenticator-android/wiki [1] https://play.google.com/store/apps/details?id=com.google.and...

[dunham]

If you're really desperate: When I last checked, Google Authenticator's keychain entries were not marked "this device only", so they can be extracted from an encrypted backup using something like "iphone-dataprotection" tools.