mccAs I awoke this morning from uneasy dreams I found that Google had replaced my authenticator app with an anus drawn by Kurt Vonnegut
…wait I'm sorry, fucking *what*? "back up your authenticator codes to the cloud"?! Isn't it *literally* no longer 2FA then? Like at that point the test the authenticator performs isn't "do you have the physical device" it's "do you have access to the Google account". Why not use a Google password manager and skip the authenticator?!
Is the market for this feature people who are being forced by a job or policy to use authenticator 2FA but don't take it seriously?
Stuck now trying to figure out whether the presence of the "back up to the cloud" kills the security of my Google Authenticator install *even if I don't enable it*. It seems like if someone compromises my phone, now they can exfiltrate my authenticator/OTP keys by simply going through the GUI flow to sign up for "cloud backup". (This *is* Android so maybe the keys are stored in a way a compromised phone could just read them off the disk, but… even that probably couldn't be done through a *GUI*!)
gunstick@mcc I evem don't backup my phone, as I am unable to determine how (and if) this is secured. I would do it if the backup is encrypted with a password I have to type in. But I can't find such an option.
So same thing for authenticator.
I use Authy, which has a local encrypted backup to the SD card.
And there I run rsync to my NAS.
So same thing for authenticator.
I use Authy, which has a local encrypted backup to the SD card.
And there I run rsync to my NAS.