The upgrade matches a feature that rival authenticator apps and password-manager services have long provided. Thanks to Google’s Authenticator app, you no longer need to keep your one-time codes in a single location to secure your accounts. They can instead sync with your Google account.
A feature gap between Google Authenticator and competitor authenticator apps like Twilio’s Authy (as well as numerous password-manager services that have long provided cloud syncing) has been closed by this upgrade, which was released on Monday.
These programs all prevent passwords from serving as an account’s final line of defense by producing swiftly expiring, one-time codes with respect to the Time-Based One-Time Password (TOTP) standard). When you enter these digits on the website’s login page, the website compares the code you write to the one it just generated.
One of the first widely used TOTP apps was Google Authenticator, which debuted in 2010(Opens in a new window). However, during its initial years, it did not facilitate the phone-to-phone transfer of saved codes. You had to set up each account on a new device from scratch. Google security executive Stephan Somogyi told me in 2017 that this process was a complete, total, and unmitigated pain.
Later, Google developed a more user-friendly code-transfer system where your old phone’s copy of Authenticator creates a QR code that you scan with your new phone’s copy. The new account-synchronization function, though, ensures that your codes stay with you unless you want to use Authenticator without an account, and that doesn’t work with a lost or stolen phone.
You’ll need to add a Google account after updating the Google Authenticator app to have it set up. Then, you could download Google Authenticator for iPad, sign in with your Google account, and receive codes on both your iPad and iPhone. In exchange, the asterisk in Google’s blue, red, yellow, and green logo has replaced the formerly styled gray “G” in the app’s icon.
Passwordless authentication eliminates the need for two-factor authentication entirely by allowing you to confirm your login on a computer by unlocking your phone using biometric authentication (to confirm that it’s you) while nearby (as verified by Bluetooth to prove that you’re there). However, despite an extraordinarily united endorsement of the passwordless spec by Apple, Google, and Microsoft this spring, the industry is still just beginning to accept it.
The Google Authenticator App Backup Procedure
Here is an outline of how to back up your Google Authenticator app quickly and what steps you should take moving ahead.
- To begin, launch the Google Authenticator app. On your phone, launch the Google Authenticator app, and then tap the three small dots as seen in the illustration below.
- Click Accounts to Export. Choose export accounts from the menu after that.
- Click the Continue To Export Accounts button. Press continue to export accounts when you see the illustration below. Google Authenticator will let you choose which accounts you want to export if you have several accounts.
- Save The QR Code. You’ll see an export QR code on the Google Authenticator app. The QR codes are generated in batches of ten if you have more than ten objects saved in Google Authenticator. You can take a picture of this QR code and save it for further reference. On iOS, you can screenshot it, but it could be impossible on Android. The QR codes can also be photographed using a different phone or camera. Once you have the QR code images, it is preferable to print them out and store them in a secure location. It is not recommended that you save these screenshots to your phone’s photo collection. Digitally saving files to external media such as a flash drive, SSD, M-Disc, and others is an option, but you must store them safely. If you wish to protect the security that 2FA offers, do not keep these photos on your regular computer or phone.
- Maintain every exported account. The following page will question if you want to delete or keep the current codes after you have safely stored the export QR codes. It’s advisable to hold onto the current codes until you are certain they are completely backed up and secure.
Conclusion
Google released a major update to its 12-year-old Authenticator software for Android and iOS on Monday with an account synchronization option that lets users back up their time-based one-time passwords (TOTPs) codes to the cloud. “This change means users are better protected from lockout and that services can rely on users retaining access, increasing both convenience and security,” Google’s Christian Brand stated. The upgrade, which also gives the two-factor authenticator (2FA) app a new icon, aligns it with Apple’s iCloud Keychain and fixes a long-standing criticism that it’s tethered to the device it’s installed, making moving phones difficult.
As Google puts it, “lost their ability to sign in to any service on which they’d set up 2FA using Authenticator.” The cloud sync capability is optional, so users can use Authenticator without a Google account. However, a hostile actor accessing a Google account may hack other web services using cloud backups. Last week, Swiss privacy-focused business Proton announced Proton Pass, an end-to-end encrypted password manager. The open-source, publicly auditable solution integrates 2FA and uses bcrypt password hashing and a hardened version of the Secure Remote Password (SRP) protocol for authentication.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.