FINALLY! Google Makes 2FA App Useable — BUT There’s a Catch

WaitingGoogle Authenticator app now syncs your secrets: No stress if you break your phone.

It’s long overdue, but Google’s 2FA OTP app now remembers its settings between installs. For the past decade or more, la GOOG’s Authenticator app has been worse than useless to real people—because it was too easy to lose access to the secrets.

But in fixing this huge oversight, Google might have reduced your security. In today’s SB Blogwatch, we sync our thoughts.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Jiggin’.

2FA OTP ASAP?

What’s the craic? Adam Conway reports—“Google Authenticator finally gets Google Account synchronization”:

Net gain for security
Google Authenticator is an app that many recommend as a one-stop-shop to protect your online accounts with a second factor of authentication, or 2FA. It generates a unique, time-based code that you use alongside your password to get into online services, but one drawback of the service is that it’s always been tied to the phone that you’re using. That’s set to change, though.

If you frequently switch between devices or have ever lost or broken a phone, you’ll know how big of a deal this is. … Of course, this does mean that an attacker who gets access to your Google account may have an easier time gaining access to your other online services, but that’s the price you pay. … It just means that you’ll need to better protect your Google account to ensure that those services can’t be accessed, but it’s a net gain for security.

But is it, though? Kyle Wiggers—“Google Authenticator can now sync 2FA codes to the cloud”:

Loads of alternatives
As of today, Google Authenticator will now sync any one-time … 2FA codes that it generates to users’ Google Accounts. … To take advantage of the new sync feature, simply update the Authenticator app. If you’re signed in to a Google Account within Google Authenticator, your codes will automatically be backed up and restored on any new device you use.

Some users might be wary of syncing their sensitive codes with Google’s cloud — even if they did originate from a Google product. … Fortunately, if Authenticator doesn’t float your boat, there are loads of alternatives for 2FA. Authy is among the most popular, but Duo is another popular choice.

Horse’s mouth? Christiaan Brand and Kimberly Samra are excited—“Google Authenticator now supports Google Account synchronization”:

We’re excited
We are excited to announce an update to Google Authenticator … which adds the ability to safely backup your one-time codes (also known as one-time passwords or OTPs) to your Google Account. … While we’re pushing towards a passwordless future, authentication codes remain an important part of internet security today, so we’ve continued to make optimizations to the Google Authenticator app.

Making technology for everyone means protecting everyone who uses it. We’re excited to continue building and sharing convenient and secure offerings for users and developers across the web.

What took you so long? Steve Tysl sounds slightly sarcastic:

***** ****** Google, it only took you 12 years to figure out everyone didn’t use your authenticator because it didn’t back up the 2FA codes and locking everyone out of their accounts everywhere in a state a panic! Bravo!

It seems sorely needed. dftf illustrates why:

[It] has one of the lowest-ratings in the Play Store for that type of app. And most of the critical reviews mention assuming that the codes would be backed-up to their Google Account, but after a phone reset, or loss of a phone, found they were not.

But there are more questions than answers. fabian2k ostentatiously clears his throat:

Ahem, I think making it much easier to transfer and backup 2FA codes is extremely important to make this area more usable. But I’m missing some parts here: … How the data is protected? Is the security the same as for the Google Account itself, or are there additional checks or protection for the case where you need to restore 2FA to another phone?

And how are you supposed to handle the 2FA for your Google account? … If you have the 2FA for your Google account in the Google Authenticator, which is probably a very common case, how does this entire thing work then when you need it, which is when you lose your phone?

Wait. Pause. burndive is scathing:

It effectively makes your Google account the second factor, rather than your phone. So if you breach someone’s Google account, you can use that to:
(1) reset their passwords using the email address, and
(2) provide 2-factor authentication to their accounts.

Do not want.


Has Google thought this through? dskoll notes another potential issue:

Great. So now if someone compromises your Google account, they can access your 2FA codes for other non-Google accounts. Excellent move, Google.

Then there’s the chicken-egg problem: If you lose your Google Authenticator device, your 2FA codes are safely stored—precisely where you can’t access them unless you’ve copied your emergency codes somewhere safe. I bet around 2% of people bother to do that.

I thought we were trying to wean people off of OTP? jillesvangurp is easy for you to say: [You’re fired—Ed.]

I’m not sure what Google is trying to … do with Authenticator at this point. But making it less of a support nightmare is a good thing: … I expect somebody (finally) got pragmatic about it maybe not being ideal that users get locked out of all their critical accounts every time they lose their phone.

2FA setup in general is a PITA to support with users in the real world. I speak from experience. It’s too complicated. Too many different steps involved. People get stuck doing it. People get locked out of their accounts.

Meanwhile, Google, MS, Apple, and others are also pushing hard for Passkeys. That seems more promising. But what worries me is that they regard this as a browser thing. So that still leaves a lot of mess outside of browsers.

Meanwhile, ewhac has uninstalled the app:

“Don’t be evil,” has been dead for a while, but I had hoped they would have at least held on to, “Don’t be stupid.”

And Finally:

Gene Kelly turns in his grave

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Aleksandra Sapozhnikova (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 629 posts and counting.See all posts by richi