mccAs I awoke this morning from uneasy dreams I found that Google had replaced my authenticator app with an anus drawn by Kurt Vonnegut
…wait I'm sorry, fucking *what*? "back up your authenticator codes to the cloud"?! Isn't it *literally* no longer 2FA then? Like at that point the test the authenticator performs isn't "do you have the physical device" it's "do you have access to the Google account". Why not use a Google password manager and skip the authenticator?!
Is the market for this feature people who are being forced by a job or policy to use authenticator 2FA but don't take it seriously?
Stuck now trying to figure out whether the presence of the "back up to the cloud" kills the security of my Google Authenticator install *even if I don't enable it*. It seems like if someone compromises my phone, now they can exfiltrate my authenticator/OTP keys by simply going through the GUI flow to sign up for "cloud backup". (This *is* Android so maybe the keys are stored in a way a compromised phone could just read them off the disk, but… even that probably couldn't be done through a *GUI*!)
Parade du Grotesque 💀Aegis Authenticator FTW!!
I am very glad I switched a couple of months ago...
gunstick@ParadeGrotesque @mcc how does it compare to Authy?
Bruce IV@mcc if you find a good alternative authenticator app I'd be interested to hear about it
@bruceiv everyone is recommending "aegis" to me
Justin Dearing
Koen de Jonge - SynQ@zippy1981 @mcc @bruceiv if you eliminate all the options that are not #opensource you can work based on what is technically most fitting.
If they all use an #openstandard that should just work.
Ben Hardill@mcc if you can get to the gui you can export all the seeds as a QR code...
Ellie@mcc The seed info for the TOTP keys was always stored on disk; that's not new.
Jason Petersen (he)@mcc it depends upon what it takes to onboard a new device!
Tom PrioreWhen you sync an authenticator to a service, they do a secret exchange. It's a shared secret. If that secret is exposed, then yes, someone else can provide TOTP 2FA codes to the service. However, the secret in the phone should be encrypted and unlocked via your phones auth mechanisms (face ID, fingerprint, what ever). That mechanism is tied to the physical phone, those secrets / keys are not backed up, and not restored.
The risk is not zero but its low.
@mcc Looks like i need to correct this, Google allows the back up to be restored on a different phone. That means they are stripping the encryption based on the device's secrets. The TOTP codes are not bound to the device. This increases risk.
Risk is not zero:
Simon ZerafaMany other TOTP Authenticators have had online backup with a separate password for some time.
Indeed without this feature it's problematic if not impossible, to move to a new smartphone.
I do wonder what will happen if you loose access to your Google account and end up locked out of your TOTP settings 🫤🤷♂️
@mcc I evem don't backup my phone, as I am unable to determine how (and if) this is secured. I would do it if the backup is encrypted with a password I have to type in. But I can't find such an option.
So same thing for authenticator.
I use Authy, which has a local encrypted backup to the SD card.
And there I run rsync to my NAS.
So same thing for authenticator.
I use Authy, which has a local encrypted backup to the SD card.
And there I run rsync to my NAS.
Eaton@mcc “ESA: Extra Step Authentication”
wb x64@mcc see also, people who use the 2fa feature of LastPass, and also how the most popular 2fa provider out there works, Authy.
Mr Least
Andy@mcc I guess it would still protect from 3rd party password breaches or MitM password harvesting, but yeah it’s more 1.5FA
FlatFootFox Moved to Hachyderm@mcc A big part of this is folks who upgrade their phone and wipe/sell the old one having forgotten to transfer the 2FA codes.
@FlatFootFox sounds like an argument against 2fa to me, not an argument in favor of fake 2fa?!
@mcc Oh yeah, for sure. I just mean that’s the only consumer “use case” I can think of.
@mcc I consider using 2FA in a manner in which I could be locked out of all my accounts by losing a device to be rather unserious, IMO
iamevn@mcc I think it's marginally better than WinAuth (which I was terrified to see widely used in a company that won't give people work phones and where devs don't want work anything on personal phones)