Google Authenticator Can Now Sync 2FA Codes To the Cloud

Slashdot is powered by your submissions, so send in your scoop

binspam dupe notthebest offtopic slownewsday stale stupid fresh funny insightful interesting maybe offtopic flamebait troll redundant overrated insightful interesting informative funny underrated descriptive typo dupe error

Do you develop on GitHub? You can keep using GitHub but automatically sync your GitHub releases to SourceForge quickly and easily with this tool so your projects have a backup location, and get your project in front of SourceForge's nearly 30 million monthly users. It takes less than a minute. Get new users downloading your project releases today!

Sign up for the Slashdot newsletter! or check out the new Slashdot job board to browse remote jobs or jobs in your area

Google Authenticator Can Now Sync 2FA Codes To the Cloud (techcrunch.com) 50

Posted by msmash

on Monday April 24, 2023 @04:41PM from the moving-forward dept.

Google Authenticator just got an update that should make it more useful for people who frequently use the service to sign in to apps and websites. From a report: As of today, Google Authenticator will now sync any one-time two-factor authentication (2FA) codes that it generates to users' Google Accounts. Previously, one-time Authenticator codes were stored locally, on a single device, meaning losing that device often meant losing the ability to sign in to any service set up with Authenticator's 2FA. To take advantage of the new sync feature, simply update the Authenticator app. If you're signed in to a Google Account within Google Authenticator, your codes will automatically be backed up and restored on any new device you use. You can also manually transfer your codes to another device even if you're not signed in to a Google Account by following the steps on this support page.

Some users might be wary of syncing their sensitive codes with Google's cloud -- even if they did originate from a Google product. But Christiaan Brand, a group product manager at Google, asserts it's in the pursuit of convenience without sacrificing security. "We released Google Authenticator in 2010 as a free and easy way for sites to add 'something you have' 2FA that bolsters user security when signing in," Brand wrote in the blog post announcing today's change. "With this update we're rolling out a solution to this problem, making one time codes more durable by storing them safely in users' Google Account."

Do you have a GitHub project? Now you can sync your releases automatically with SourceForge and take advantage of both platforms.
Do you have a GitHub project? Now you can automatically sync your releases to SourceForge & take advantage of both platforms. The GitHub Import Tool allows you to quickly & easily import your GitHub project repos, releases, issues, & wiki to SourceForge with a few clicks. Then your future releases will be synced to SourceForge automatically. Your project will reach over 35 million more people per month and you’ll get detailed download statistics.
Sync Now

›
- Re:
  
  As has Bitwarden.
  - Re:
    
    Yes but you can control your own private bitwarden instance.
    If I want to hand over access to everything I have to any yahoo with a rubber stamp from a FISA court or who doesn't have one but activists at Google feel inclined to support Twitter style this seems like a good idea. Otherwise if I want access control to remain in my hands rather than Google's this is a terrible idea.
    This update brought to you by the same folks who just tried to claim FB was trying to facilitate child pornography by spreading end-
Great (Score:5, Insightful)

by dskoll ( 99328 ) on Monday April 24, 2023 @04:48PM (#63473624) Homepage

So now if someone compromises your Google account, they can access your 2FA codes for other non-Google accounts. Excellent move, Google.

Then there's the chicken-egg problem... if you lose your Google Authenticator device, your 2FA codes are safely stored... precisely where you can't access them unless you've copied your emergency codes somewhere safe. I bet around 2% of people bother to do that.
- 1 hidden comment
- Re:
  
  Just turn on 2FA for your Google account. It's really easy, there's even an app you can use and....wait a minute!
  - Re: Great
    
    I think Google fundamentally doesn't understand 2FA. They don't even appear to support CTAP2 on any single one of their products, just old CTAP1, even though CTAP2 has been a thing for three years now. No resident key support, no pin support. Doesn't seem like they will support it any time soon either. People have been asking for it and Google's responses have been either totally silent or totally dumbfounded thus far.
- Re:
  
  The point is to have multiple devices, the cloud is just an intermediary.
  - Re:
    
    I do have my TOTP secrets stored on multiple devices, without using the cloud as an intermediary. Unfortunately, Google has no incentive to make that convenient.
    - Re:
      
      And no, exporting using QR codes is not convenient when the device doing the import barfs on QR codes with more than about 5 TOTP secrets in them.
  - Re:
    
    No, the cloud is a central storage point within third party control. In security we call this a MITM (man in the middle) and it is considered a form of attack.
- Re:
  
  It will probably get integrated into Chrome at some point. Optional of course, but for most people who don't use 2FA at all it's still an improvement.
  When doing security on this scale your always have to remember that even the smallest bit of friction will put off most users, and as you note most probably don't have their backup codes to hand.
  Naturally you don't use Google Authenticator anyway.
  - Re:
    
    "for most people who don't use 2FA at all it's still an improvement"
    No it isn't. It is a MITM attack that creates the ILLUSION of an improvement, that is worse than not having 2FA because someone who lacks 2FA (is that anyone anymore? It is mandatory for just about everything.) will realize their lack when they do become aware of it at some point. Someone with this turned on will be lulled into a sense of security while having completely compromised themselves.
- Re:
  
  "So now if someone compromises your Google account, they can access your 2FA codes for other non-Google accounts."
  Yeah, someone like... I don't know... GOOGLE. The only ones praising this move are the ignorant and agencies who oppose the spread of end-to-end encryption.
- Re:
  
  AndOTP [f-droid.org] can make an encrypted copy of the 2FA secrets on the local drive (which then needs to saved off-device).
  Your digital life (passwords, security questions/answers, password-recovery email addresses, 2FA secrets, product keys) must be backed-up but nobody teaches this and despite the 'you need this' warning of online web-sites, people rarely think of the problem of lost authentication data.
- Re:
  
  That's why I don't have any backups. They don't help or do anything since so few people use backups there's clearly no point in the entire concept.
huh? (Score:4, Insightful)

by PubJeezy ( 10299395 ) on Monday April 24, 2023 @04:51PM (#63473636)

I don't understand how this is considered an upgrade. Unless I'm misunderstanding something, it seems like they turned their 2FA into 1FA. The whole idea is that you're supposed to demonstrate control of something in addition to your account info in order to verify your activity. The idea being that you're less likely to lose your phone AND your login info. But if 2FA code is now accessible from the account itself, without needing my secondary device, isn't that just 1 factor?
- Re: huh?
  
  Yes, this is a major security downgrade.
  - Re:
    
    Yea it is, but it is a convenience upgrade firvwhen things gintits up with the primary 2fa device, an we all know what whins wjug Joe and Jane public, and it ain't security. I'm shoresou van turn if cloyd sync if you don't want it
- Re:
  
  It's no better/worse than any other cloud service. For someone to get access to the stored 2FA data, they would need to either have already compromised your account or compromised Google. Either way, your account already isn't safe. That isn't an endorsement, just pointing out how it's not relevant in that context.
  - Re:
    
    Many people store non-Google TOTP secrets in Google Authenticator, and may not want them shared to Google. This should definitely be an opt-in feature, but it sounds like it's not and that there's no way to opt out, either.
    - Re:
      
      Yes, but that is a separate concern from the one I replied to.
      - Re:
        
        It's not really a separate concern. It makes breaking into a Google account just a little bit more attractive to an attacker.
        
        Re:
        
        It really is a separate concern, as the risk they were putting forth was that the 2FA for Google would be saved in the 2FA store on Google and thus not make it a true 2FA. My point was that if they gained access to your 2FA store, they already have access to your account and thus the concern is moot.
    - Re:
      
      Even if it were opt-out the client would have likely already transferred the credentials before you opt out rendering them compromised. They just turned Google authenticator into a trojan.
  - Re:
    
    "or compromised Google"
    Or be Google or legally compel Google under a gag order... including doing so in authoritarian regimes like China. Google authenticator facilitates 2FA for third party services, this could even include unrelated government services in some cases.
    Thanks but no thanks.
    - Re:
      
      Those concerns aren't unique to Google. I'm not suggesting this is a good change, I'm only refuting the claim that this makes the Google account itself less secure. Anyone that has access, by any means, to the stored 2FA data on Google wouldn't need the 2FA since they already have access.
      - Re:
        
        It absolutely makes it less secure. This means an attacker need only gain brief access to the account to have ongoing access in a manner that does not raise any alarms to the legitimate user.
- Re:
  
  The point is to allow you to get a tertiary device which acts as your secondary device for authentication.
  The 2FA sync isn't accessible from the account if you haven't authenticated.
- Re:
  
  That's what I'm hearing as well.
  Which is absolutely par for the cours when it comes to security. Everyone wants security, until it becomes mildly inconvenient, at which point some way to work around the security becomes popular (e.g. passwords on post-it notes next to the "secured" copy machine).
  I predict this trend will continue until we all routinely bypass at *least* four levels of security on a regular basis, and someone finally realizes that they can get almost as much security much cheaper by using a
  - Re:
    
    If you don't have 2fa for your 2fa device, are you even trying?
- Re:
  
  You should be aware that Google has recently done that all across the web. They have enabled "log in with Google" on many sites, without your permission or interaction. If someone gains control of your email account, they can log into anything.
- Re:
  
  You're misunderstanding it. It's still 2FA, except that second factor is virtualised on a cloud service instead of being a device in your pocket connected to at same cloud.
A little bit of searching led me to Aegis Authenticator [getaegis.app] which IMO is superior to Google Authenticator.

1. You can encrypt your secrets file with a master password.
2. You can back up your secrets file, but doing so is optional and you get to decide where you want it backed up to. That can include Google Drive if you want, but doesn't have to.
3. The code is open-source (GPLv3 license.)

I'm not affiliated with Aegis in any way... I just like the looks of the app.
- Re: Superior alternative to Google Authenticator
  
  Need more people to mod this the hell up.
You guys still using anything by Google?
I pity the fool
With something like Duo, I get an MFA notification on my watch. I confirm in one-step and done. Last time I used Google Authenticator, it could not do push notifications. I had to unlock my phone, open up the app, make a note of the code and manually enter that in on my computer. That is too many steps.
- Re:
  
  Of course not. They're separate types of 2FA.
  Duo involves a client application telling Duo's infrastructure to send that push request to your watch. It's fantastic; I've deployed it for more clients than any other 2FA system...but it's still dependent on Duo specifically.
  Google Authenticator (and MS Authenticator and Authy and Aegis and FreeOTP and...) use a private key and the current time and some really complicated math to generate those six digit codes.
  Each system has some pros and cons. Duo is great be
The point of 2FA is that the second factor shouldn't be replicable. This "update" degrades Google Authenticator's suitability as a 2FA app. Moreover, it looks like the synchronization to Google's servers will start automatically, without an opt-in. This means that with this update Google employees invited themselves into the position of being theoretically able to access, say, one's bank account, without bothering to ask whether he or she agreed to that. This is unacceptable.
So Google can steal my security info and share it with Governments that demand it? No.
- Re: data theft
  
  This a hundred times. Uninstalling now, shame on me for still having that app on my otherwise degoogled device.
One of my core items on my 2FA app punch list is the ability to export the list of shared secrets to a CSV, JSON, or other plain text file, so I can import them somewhere else, even if I have to manually copy/paste them, write a script to pull out the values and throw them into a format grokkable by a new PW manager, or use another script to convert the 2FA key value into a QR code for import somewhere else. Without the ability to export, I won't use the program.
I also want known good encryption for the 2F
- Re:
  
  You can export to QR-Code and scan that to get a string. You can also get the string directly. Works for a number of secrets at once.
...There are no nice, genteel words for the "decision process" that spurred this change. This is straight-up congenital brain damage. I guaran-fscking-tee you that all bugs filed against this change were closed with the sniffy, "NOTABUG: Working as designed."

Google Authenticator was correctly designed from the outset. You do not create a single target for adversaries to attack. You distribute the secrets and ideally isolate them so that adversaries have to compromise thousands of systems instead of ju
I have to consider this change malicious. It deliberately allows access to the 2FA secrets when the whole point of 2FA is that nobody but the owner has access to them. The correct way to handle transferring secrets is how GA already did it: generate QR codes containing the secret database and scan them in on the new device. No need for the cloud at all. The only thing lacking would be the ability to export an encrypted copy of the database so it could be backed up locally in the event of the device failing
- Re:
  
  Indeed. I guess I will very much _not_ update the app and make sure it does not have any network permissions. Might also move to an alternative that does not have this "feature" or where I can depend on it being off unless I gave explicite permission. My trust in Google is non-existent these days.
  Asd to backup, I have a backup on an old kindle-fire which is permanently in airplane mode and a 2nd one on an old android phone without SIM-card which also is in airplane mode and usually off. That is quite enough
... there was no option to make it mandatory for all access to the account, and Google preferred to entrust the account to a cellphone provider.
- 1 hidden comment
Make it meaningless...

Google Authenticator Can Now Sync 2FA Codes To the Cloud - Slashdot

Great (Score:5, Insightful)

huh? (Score:4, Insightful)

Recommend

About Joyk