Pretty sure the same applies to all the passwords/passkeys/2FA codes stored in the Authenticator app with cloud backup on.

bdavbdav 5 hours ago | parent | next [-]

Use 1Password or similar instead. They’re keyed against a key they don’t have access to.

How do you avoid losing that key?

	▲	mrweasel 3 hours ago \| parent [-]
		They have a recovery sheet you can print. If you lose your key, you can use the recovery information on that piece of paper to regain access. You put the recovery information in a safe place. That is also exactly why people like myself are so against passkeys, there are no offline recovery.

zekica 5 hours ago | parent | prev [-]

Only if that authenticator/password manager app is not end-to-end encrypted.

mcsniff 5 hours ago | parent | next [-]

No, not "only". E2EE is now used as a dog whistle.

Who holds/controls the keys on both ends?

	▲	arielcostas 4 hours ago \| parent [-]
		End-to-end usually means only the data's owner (aka the customer) holds the keys needed. The term most used across password managers and similar tools is "zero knowledge encryption", where only you know the password to a vault, needed to decrypt it. There's a "data encryption key", encrypted with a hash derived of your username+master password, and that data encryption key is used locally to decrypt the items of your vault. Even if everything is stored remotely, unless the provider got your raw master password (usually, a hash of that is used as the "password" for authentication), your information is totally safe. A whole other topic is communications, but we're talking decryption keys here

That's right, and Microsoft Authenticator isn't.