Google Authenticator and Why You Should Abandon This Two Factor Authentication App

in #bitcoin8 years ago

Google Authenticator is a potential timebomb waiting to happen


In the world of crypto currencies and altcoins, the use of two factor authentication is a MUST. One of the easiest ways to enable this is using the Google developed app that is Google Authenticator. It's easy to use and well rated on the Google Play store as well and supported across multiple platforms. But I'm here to make you consider an alternative fact, if you're using Google Authenticator you have a potential disaster waiting to happen.

So what's the issue with Google Authenticator?


I'm not here to attack the tech behind Google Authenticator today but rather the fact that it lacks a backup feature. Sure, you can restore to a different device using a method of choice but what if you have a total device failure or your phone is stolen and you didn't get that chance to transfer to another device your settings? At that point, you've just been setup for a long process or going through support or using restore keys to go in and reset two factor authentication for all your Crypto Exchange sites as a BEST case scenario.

A better solution using Authy


authy

Authy is another leading Application for Time-Based One Time Password (TOTP) authentication. Authy can even integrate your sites that support Google Authenticator only enabling you to store keys for these as well. This means the process of migrating from Google to Authy is relatively easy. Typically it will be just a matter of going into sites and resetting or disabling/re-enabling your Two Factor settings.

How is Authy going to help avoid the lost or stolen device issue?


The feature that is going to make Authy far more beneficial for users in the crypto space using 2FA with monetary investments involved is the backup feature. Unlike Google Authenticator you can backup your setup for Authy using your account with data stored in the cloud.

Cloud backup for my two factor auth data sounds like a security risk....


Although it sounds like a huge security hole, it isn't. Authy goes into great detail about what happens when you enable the backup feature and I want to touch on it a bit here to put fears to rest. This gets a bit technical but it's hard not to throw some jargon around when describing this process:

  1. Authy asks you for a backup password, make this secure.
  2. Authy then takes that password and using Password Based Key Derivation Function 2 (PBKDF2), it "stretches" the password. This process takes the password, and adds a salt to the password. The salt is so that if the same password is used by a user multiple places the hashed value of other operations will vary and not produce the same hashed value each time.
  3. After the salt is added, the result is run through the SHA256 hashing algorithm 1000 times (this is actually a lower number but is set that way due to lower processing power on phones for operations of this type).
  4. The output of the SHA256 hashing is then encrypted prior to upload using AES256 encryption, the decryption key is NEVER sent to Authy.
  5. The encrypted data and salt are sent to Authy to store.

As you can see the process is pretty secure and compared to the option of no backups, it offers a far better solution! Implementing the backup setup on your device is pretty straightforward too.

  1. In your app, go to your settings and then go to Accounts.
  2. In this area click the button for Backups.
  3. Enter your backup passphrase (don't lose this! Store it offline in multiple places at least).
  4. After this you will see Backups are now enabled and your accounts will show Backed Up next to them when complete and it will look something like below (on an android device):

backups enabled

Summing Up

Google Authenticator is quick and easy, but with the importance of having a fallback plan when significant amounts of money are on the line a true Secure backup solution is a requirement. Using Authy, secure backups eliminate the need to have to do a process like restoring settings from one phone to another.

Sidenote: In a future post I will go over why Time-Based One Time Password devices (TOTP) are not nearly as secure as Universal Two Factor (U2F) devices as well to further elaborate on the security aspect of two factor in our world today.

Thank you in advance for your comments, upvotes and follows!

Bitcoin 1KM5MaPNsZdAA6W3MQZQa2yqq1VzxV69My
Ethereum 0x79B4fAEAA31EAc19f33A1517288abE82cB2da6Fd
full logo.png

Sort:  

Not backing up your 2FA codes... :thinking_face:

That's really the core issue here. Everybody should back up their 2FA codes prior to entering them into the Google authenticator (or Authy) app!

might be worth to think about a change... but then i need to regenerate all codes... wow....

It is definitely a pain but long term worth that peace of mind.

I had just had a problem like you described with Google Authenticator, where I got a new phone and I couldn't turn on my old dead phone for its Google 2FA; I was totally locked out of the service until I found a way to briefly get the old phone to start.

Authy would have let me just use my new phone! Here's a trick for those still wanting to use Google Authenticator- when you sign up for a new account, save a screenshot of the QR code; that way I think you'll be able to recover on a different phone if you scan that (just remember to store the QR code safely!).

"store the QR code safely" being the key phrase here!

Good that you finally got into the old device, and not a bad idea if still using google to store the QR code offline!

Good post, I personally use Authy!

Appreciate it, used to use Google Authenticator but this very reason is why I stopped. Thanks for the comment!

This post highlights my newfound care and worry over my phone. I ride mountain bikes all the time with my phone and have been getting increasingly worried that I'm going to have to battle for access to my crypto's if something were to happen. I'm going to reasearch Authy and keep an eye out for your upcoming posts! Thanks!

One of the reasons I looked into it more as well, I'm around water a lot and with kids and water mixed into an equation I just know one day the result of that equation is going to be a ruined phone!

You're touching on a matter that I wanted to investigate myself as soon as possible. Even though I stopped using the Google Authenticator for accounts that say that online this one is supported I found that the Microsoft Authenticator app can as well import these keys. So I'm using the Microsoft Authenticator app for all accounts that have 2 factor security enabled.

That being said, I am not sure how I will get all keys back if I need to replace my iPhone. I'm hoping that everything set up in the Microsoft Authenticator app get's synced through iCloud. If that's the case then I'm pretty much all set. If that is not the case and I won't get the app back as I last synced it, then I will definitely need to start exploring other possibilities. Authy seems to be a pretty good solution but I'm hesitant of their own cloud backup nonetheless.

EDIT: did the research immediately and this is what came up:

  • I restored my device from a backup, and my account codes are missing or not working. What happened?

For security purposes, we don't restore accounts from app backups. After you restore the app, delete your accounts and add them again.

  • I got a new device. How do I remove the Microsoft Authenticator app from my old device and move to the new one?

Adding the Microsoft Authenticator app to a new device does not automatically remove it from any other devices. To manage which devices are configured for your account, visit the same website that you use to manage two-step verification, and choose to remove old apps.

So I definitely need to figure out what to use to prevent this from happening. Will look into Authy a bit more.

It's definitely a scary thought because it makes our phones that much more important. Thanks for reading and your comment sent you a follow

This is indeed an issue and I urge everyone to heed this advice!

I currently have a friend that has had this exact issue cause him to be locked out of an account that he set up 3 years ago, where he'd invested in a BTC mining company that currently has untold value in it, likely $1,000s. He's handed me 2 old phones with no batteries that maybe were used to set up the Google Authenticator as our only hope at this point of ever recovering those funds...

I hope you are able to recover those codes for your friend, that's a good deal of money to lose..

Maybe i misunderstand something, but it seems Google Authenticator has solutions for this:

https://support.google.com/accounts/answer/185834?hl=en

@johnecs, that article only applies to signing into Google services like GMail. It will not work for any other "apps" linked to Google Authenticator.

@lances is correct it is just in case you lose your phone and use it for 2FA to Gmail or other apps. Thanks for the replies

I changed to Authy about a year ago after some issues with Google. I don't remember exactly why but it worked out ok. Thanks for keeping people informed this is not the first time someone wrote about this issue.

Thanks for the response, the growing number of accounts I had on Google made me really start to worry about losing my phone but now I can not fret as much and glad others found this useful.

I'm using Google Authenticator (GA), and have just had my phone in for a repair. Had to dig out my old Android phone for use while my current one was in for the repair, and in this process I've learned the hard way that GA doesn't provide a backup and restore option. Luckily, I just discovered Authy, and will be migrating to it.

I'm a hardcore Authy user. It is much better than Google's app.