11 votes

Google Authenticator now supports Google Account synchronization

After 11 years of life, Google Authenticator has added cloud backups for OTP keys in version 6.0.

Google Security Blog: Google Authenticator now supports Google Account synchronization

This is surprising news to me, because historically Authenticator had no way to backup keys by design. Here's a 2017 quote from a Google engineer who maintains Authenticator:

There is by design NO account backups in any of the apps. [source]

This design choice always made sense to me, as the point of 2FA is that you've got (1) something you know, and (2) something you have. The second factor should be tied to a physical device. If you lose the physical device, the second factor should be gone, and you'll need to use one of those 10-ish backup codes that we all definitely keep somewhere safe. I'm quite befuddled that Google is reversing this design choice and walking back their previously strong, security-centric design for the sake of user convenience in the case of a lost phone. I used to advise my friends and family to choose Google Authenticator over Authy for this specific reason.

If you want further reading, here's a PCWorld article with an altogether different tone than Google's announcement: Google Authenticator’s long-awaited cloud 2FA feature carries hidden risk

4 comments

  1. m-p-3
    Link
    Personally I'd be more comfortable using it if it had the option to enter a custom passphrase for E2EE. And Aegis works wonderfully had is more feature-complete so I don't see any incentive to switch.

    Personally I'd be more comfortable using it if it had the option to enter a custom passphrase for E2EE. And Aegis works wonderfully had is more feature-complete so I don't see any incentive to switch.

    4 votes
  2. [2]
    xyz
    Link
    It can be extremely difficult to recover an account on some services when you lose your 2FA device. Which is good because recovery measures by nature sidestep the purpose of 2FA. I have 20+...

    It can be extremely difficult to recover an account on some services when you lose your 2FA device. Which is good because recovery measures by nature sidestep the purpose of 2FA. I have 20+ services in my authenticator and it would be a nightmare to get that sorted out if my authenticator was lost or destroyed.

    That said, I wouldn't use a cloud backup service with it, but a local backup on a flash drive in a safe makes sense to me. The downside is that it opens up the possibility of malware being able to export the private keys for your 2FA, but if you have malware with that level of privileges on the device with your authenticator it could generate codes anyway. The other alternative I can see would be to save the QR codes you use to set up 2FA on each service, so you can use it to set up a different device in an emergency.

    3 votes
    1. buzziebee
      Link Parent
      I had a real scare the other week when my phone broke during a night out. Luckily it was just the screen so I could swap the motherboard into a second hand one I bought, but it definitely put the...

      I had a real scare the other week when my phone broke during a night out. Luckily it was just the screen so I could swap the motherboard into a second hand one I bought, but it definitely put the fear into me of losing my auth tokens.

      I won't use this Google auth backup because it's not e2e encrypted. I've been planning to look into open source 2fa apps which allows for secure backups to be made. Aegis authenticator looked alright.

      It might also be a fun weekend project to create a basic authentication app that allows for encrypted backups to be made to a server or file of choice. Not high on my priority list though.

      1 vote
  3. skybrian
    Link
    Yes, it seems risky, but losing your phone can be pretty bad, and setting up a backup way for logging into every website you use authenticator codes for is annoying. As the article says, they're...

    Yes, it seems risky, but losing your phone can be pretty bad, and setting up a backup way for logging into every website you use authenticator codes for is annoying.

    As the article says, they're going to add end-to-end encryption, and I'm waiting for them to do that before turning syncing on for Authenticator.

    They already do have that kind of encryption for Google Password Manager, which handles saved password and passkey syncing. It seems like a reasonable design. Here's a blog post about how that works:

    To address the common case of device loss or upgrade, a key feature enabled by passkeys is that the same private key can exist on multiple devices. This happens through platform-provided synchronization and backup.

    Passkeys in the Google Password Manager are always end-to-end encrypted: When a passkey is backed up, its private key is uploaded only in its encrypted form using an encryption key that is only accessible on the user's own devices. This protects passkeys against Google itself, or e.g. a malicious attacker inside Google. Without access to the private key, such an attacker cannot use the passkey to sign in to its corresponding online account.

    [...]

    In some cases, for example, when the older device was lost or damaged, users may need to recover the end-to-end encryption keys from a secure online backup.

    To recover the end-to-end encryption key, the user must provide the lock screen PIN, password, or pattern of another existing device that had access to those keys. Note, that restoring passkeys on a new device requires both being signed in to the Google Account and an existing device's screen lock.

    I think of authenticator codes as a legacy way of doing things now that there are passkeys, but it would still be good to do syncing at least as securely as the newer stuff.

    3 votes