Looks very interesting Mark, I’m going to attempt to add this to my forum tomorrow 🤝.
Google Authenticator for 2FA
-
With today’s modern world where we should all be using password managers and authentication apps to further enhance our online security presence, it’s easy to fall into the trap of not being able to recover Google Authenticator if your device is lost or stolen.
Whilst this sounds like a “it won’t happen to me”, never say never. Mobile devices are highly sought after in today’s world, and given that virtually everything we do online is from a mobile phone or tablet, it’s easy to become complacent. Sure, it’s available immediately if you need it, but what if you lose it ?
What could happen ?
Well, for one, you’ll be without your device meaning that if you rely on that same peripheral to access a password manager, or generate TOTP based 6 digit codes, you’re going to be in something of a “hole” to say the least. You can get access to most password managers via an online vault, but if that account you need to access was secured with 2FA or push authentication, and you no longer have the associated device, then you’re in for quite a rough ride without a means of recovery.
This is where (for example, but not limited to) Google Authenticator will make you immediately fall on your sword if you don’t have copies of the backup codes, or the secure password seed used to create the pairing in the first place. Be honest - do you keep a record of backup codes ? I’m guessing you don’t
It’s not actually possible to quickly and easily backup Google Authenticator, or the codes generated by it. It’s a simple process to transfer to another phone, but ONLY if you have the old device. If your phone or tablet is lost or stolen, and you have no means of proving who you are, then you are, for want of a better phrase, royally screwed.
The Solution
DON’T rely on Google Authenticator. Yes, it’s free. Yes, it’s simple, but if you lose your device, then you’ll quickly find out just how much of an inconvenience this is. I switched away from Google Authenticator years ago in favor of AUTHY (now known as Twillo). Not only can you have multiple devices, but there is a recovery mechanism whereby you can get access to your data on another device by simply going through the recovery process. The one caveat here is that the recovery requests need to be manually reviewed and approved.
I went through this same exercise around 4 years ago when my phone literally froze up, then died. I sent the phone back to the manufacturer who informed me that the device was completely dead (it was an LG - never again) and that they would be shipping a replacement. Great, but what about the 2FA codes etc ? As it’s an Android device, I simply pulled all of the settings back from my Google Account. However, getting the codes back into AUTHY meant I needed to go through the recovery steps.
These are pretty simple, but you need to be able to answer security questions in order to proceed. Another great addition in AUTHY is that you are periodically requested to enter the backup passcode so that backups of all your accounts can easily be taken
A bit more information around that can be found here
And here
https://shieldplanet.com/what-if-i-lose-my-phone-with-google-authenticator-on-it/
This article is from the same bunch who developed the Shield Security plugin for WordPress, and they provide the same stark warning as I do here
https://getshieldsecurity.com/blog/google-authenticator-backups/
Transferring out of Google Authenticator is a simple process, but requires re-enrolling your device via AUTHY (or another product) in each application or account you have secured.
BitWarden and others have the ability to incorporate 2FA generation and security in their password manager apps for mobile devices. The huge benefit here is that this is replicated into the online vault, meaning the codes are also generated there, and you can still access your accounts without your phone. More info about that here
https://bitwarden.com/help/authenticator-keys/
Don’t get caught out by sticking with Google Authenticator
-
@phenomlab thanks for the tips…
in today’s world, password managers are becoming a must… I personally use 1password, and I am glad that it is automatically adding 2FA to the login info…
Before that, I was using an app on my phone but was worried exact the same thing you mentioned above… Gladly password managers are keeping it synced across all devices…
-
@crazycells said in Google Authenticator for 2FA:
password managers are keeping it synced across all devices…
But not all of them sadly. In terms of Google Authenticator, the fact that the device cannot be “backed up” in the traditional sense is a pitfall you’d only realise once you’re in that particular situation - and then it’s probably too late.
-
Well… just on time…
It looks like YUBIKEY 2FAs should be the gold standard from now on… but I am worried that I will lose my key… What happens in that case? Fortunately, I am using 1password. AFAIK their servers have never bridged before, and even if they do since everything is only decrypted on my computer, the information in the server will not be useful for hackers… and additionally they have $1 million bug bounty challenge…
https://blog.1password.com/increasing-our-bug-bounty-investment/
-
@crazycells said in Google Authenticator for 2FA:
What happens in that case?
Not much it seems -even according to Yubico themselves
https://support.yubico.com/hc/en-us/articles/360013647620-Losing-Your-YubiKey
And then there’s also this
https://kernelafrika.com/blogs/product-news/steps-for-lost-yubikey
BitWarden has also yet to be hacked, and is also using device-only decryption - nothing is stored in the cloud. It’s worth noting also that Authy didn’t get hacked - Twillo, which owns them were the direct victim. If was their weak security that exposed Authy
And this article from 1Password is biased, and actually unfair as it relates to SMS passcodes which are subject to SIM Hijacking anyway - no matter what platform you use
Personally I wouldn’t pay much attention to that. It’s scaremongering if you are using TOTP for example as this will change every 30 seconds and is much stronger.
-
@phenomlab yes, I think their source code is exposed… so, this is what could danger the app in the future I guess…
yeah, I prefer TOTP rather than SMS based 2FA, however, most of the time I cannot pick, because the website only offers one or the other type…
Somehow, US government sites or US banks usually go with SMS based (which is very annoying), and they do not offer TOTP…
-
@crazycells yes, this is something I see on a daily basis and despite how shockingly simple it is to conduct SIM jacking, it seems that several of the USA based banks are reluctant to switch to at least TOTP in the same sense as the USA has been extremely slow to adopt chip and pin - something Europe has been making use of for years.
And they wonder why cheque and wire fraud is rife in America.
Related Topics
-
-
-
-
-
-
-
-
Invalid CSRF on dev install
Moved Solved Tips