| ▲ | layman51 5 days ago |
| Can someone please explain to me what it means for authenticator codes to be “cloud-synced”? Is that solely dependent on whether you’re using the Google Authenticator app while signed in to your Google Account? Is it possible to not have them “cloud-synced” if you are signed in? |
|
| ▲ | jazzyjackson 5 days ago | parent | next [-] |
| Google Authenticator app defaults to backing up the TOTP secrets so if you log in on a new device you have them there. Pretty poor default for security, and you can disable it, but not the first time I've heard of this biting someone. |
| |
| ▲ | nipponese 5 days ago | parent | next [-] | | The risk of not syncing — when you lose/reset your phone, so does your OTP app. If you don't have backup codes saved, you're cooked. | | |
| ▲ | themafia 5 days ago | parent | next [-] | | > you're cooked. I've lost 2FA codes. It's complicated but if you have a financial relationship with the vendor you're going to be able to get everything sorted out. I imagine as this happens more there will be common internal policies which aid customers in this situation. You have to weigh the amount of potential hassle against the value of potential losses. Why you would have $100,000 of value stored somewhere and only secured by a loose-lipped third party app is beyond me. | |
| ▲ | traceroute66 5 days ago | parent | prev | next [-] | | > The risk of not syncing — when you lose/reset your phone, so does your OTP app. If you don't have backup codes saved, you're cooked. Most clued-up places enable you to register a Yubikey as 2FA. So then it doesn't matter if you loose your OTP app and your backup codes because you've still got a Yubikey. (And those that don't allow Yubikey, almost certainly will have SMS as a secondary option). | | |
| ▲ | jgilias 5 days ago | parent | next [-] | | You really shouldn’t use SMS 2FA. SIM swapping does happen. This kind of depends on the jurisdiction though. In some countries operators won’t reassign the phone number willy-nilly. Still, better to just not do SMS auth. These days Yubikeys are not that expensive. Get three, register them all at the most important places, and put one at a parents’ place or similar. | | |
| ▲ | traceroute66 5 days ago | parent [-] | | I agree entirely. But the point I was making that IF the website does not allow Yubi THEN SMS is almost certainly available, and you should use that as a backup mechanism. Why ? Some sort of backup mechanism is better than none at all. |
| |
| ▲ | ac29 4 days ago | parent | prev [-] | | > Most clued-up places enable you to register a Yubikey as 2FA. So then it doesn't matter if you loose your OTP app and your backup codes because you've still got a Yubikey. And what happens if you lose your Yubikey or it stops working? You're back to needing backup codes or an additional 2FA device | | |
| ▲ | traceroute66 4 days ago | parent [-] | | > And what happens if you lose your Yubikey or it stops working? That's why you own N+1 Yubikeys ;p Any place that offers Yubikey auth will enable you to register multiple Yubikeys against your account. In all my time on the internet I have only ever seen one place that allows Yubikeys but restricts you to one key. |
|
| |
| ▲ | Sayrus 5 days ago | parent | prev | next [-] | | Which is why most apps with sync have two sets of credentials: one to login on the platform and one master password for encryption. That helps in those scenarios. | |
| ▲ | fortran77 5 days ago | parent | prev | next [-] | | Yes. There are other ways of syncing (I have images of the setup QR codes save in an encrypted file) but most people wouldn’t be able to manage this. | |
| ▲ | jazzyjackson 5 days ago | parent | prev [-] | | An alternative to syncing is to add the TOTP code on multiple devices, so that losing one device is not catastrophic. |
| |
| ▲ | layman51 5 days ago | parent | prev [-] | | You mean to say that if it were enabled on my Google account, then the TOTP numbers for my other accounts are visible via authenticating into Google Account on some other unknown device? Sounds like it could be convenient if you lose your phone, but still risky if an attacker can sign into your Google Account. | | |
| ▲ | jgilias 5 days ago | parent [-] | | Yeah. And this is on by default. Without an additional secret. |
|
|
|
| ▲ | tetromino_ 5 days ago | parent | prev [-] |
| https://security.googleblog.com/2023/04/google-authenticator... Google Authenticator can be local-only or synced to the cloud. In local-only mode, the authenticator is bound to a specific device. You can manually sync it to additional devices, but if you lose access to all those devices, it's game over, you will get locked out of whatever accounts you secured with authenticator as the second factor. In cloud-synced mode, it's synced to your google account, so if you lose your phone, you can restore authenticator state. But if your google account gets taken over, it's game over, the attacker has your authentication codes. |
