…wait I'm sorry, fucking *what*? "back up your authenticator codes to the cloud"?! Isn't it *literally* no longer 2FA then? Like at that point the test the authenticator performs isn't "do you have the physical device" it's "do you have access to the Google account". Why not use a Google password manager and skip the authenticator?!

Is the market for this feature people who are being forced by a job or policy to use authenticator 2FA but don't take it seriously?

Stuck now trying to figure out whether the presence of the "back up to the cloud" kills the security of my Google Authenticator install *even if I don't enable it*. It seems like if someone compromises my phone, now they can exfiltrate my authenticator/OTP keys by simply going through the GUI flow to sign up for "cloud backup". (This *is* Android so maybe the keys are stored in a way a compromised phone could just read them off the disk, but… even that probably couldn't be done through a *GUI*!)