mccAs I awoke this morning from uneasy dreams I found that Google had replaced my authenticator app with an anus drawn by Kurt Vonnegut
…wait I'm sorry, fucking *what*? "back up your authenticator codes to the cloud"?! Isn't it *literally* no longer 2FA then? Like at that point the test the authenticator performs isn't "do you have the physical device" it's "do you have access to the Google account". Why not use a Google password manager and skip the authenticator?!
Is the market for this feature people who are being forced by a job or policy to use authenticator 2FA but don't take it seriously?
Stuck now trying to figure out whether the presence of the "back up to the cloud" kills the security of my Google Authenticator install *even if I don't enable it*. It seems like if someone compromises my phone, now they can exfiltrate my authenticator/OTP keys by simply going through the GUI flow to sign up for "cloud backup". (This *is* Android so maybe the keys are stored in a way a compromised phone could just read them off the disk, but… even that probably couldn't be done through a *GUI*!)
Tom PrioreWhen you sync an authenticator to a service, they do a secret exchange. It's a shared secret. If that secret is exposed, then yes, someone else can provide TOTP 2FA codes to the service. However, the secret in the phone should be encrypted and unlocked via your phones auth mechanisms (face ID, fingerprint, what ever). That mechanism is tied to the physical phone, those secrets / keys are not backed up, and not restored.
The risk is not zero but its low.
@mcc Looks like i need to correct this, Google allows the back up to be restored on a different phone. That means they are stripping the encryption based on the device's secrets. The TOTP codes are not bound to the device. This increases risk.
Risk is not zero:
