The Google Authenticator app has received a critical update for Android and iOS that allows users to back up their two-factor authentication one-time passwords (OTPs) to their Google Accounts and have multi-device support.
Two-factor authentication (2FA) adds a second layer of security to your online accounts, making it more difficult for attackers to hack them. Accounts configured with 2FA will require users to enter a one-time passcode before logging into an account, which is sent via SMS texts, emails, or generated by an authenticator app.
Google Authenticator is an immensely popular authentication app with over 100 million installs that lets users generate these one-time passwords for 2FA verification.
Using an authentication app is a safer alternative to SMS and email-based 2FA because those can be compromised by hackers or ported by SIM swap actors, making it easier to bypass 2FA verification and hijack accounts.
Google Authenticator gets cloud backup
While Google Authenticator is immensely popular, one of the biggest critiques has been the inability to back up one-time 2FA codes and the lack of multi-device support.
Without this feature, if you lost your mobile devices where Google Authenticator was installed, you would also lose all of your 2FA configurations, making it very time-consuming and difficult to regain access to your accounts. Furthermore, without a cloud backup, you could not add your 2FA codes to multiple devices.
"One major piece of feedback we've heard from users over the years was the complexity in dealing with lost or stolen devices that had Google Authenticator installed," explains Google in the announcement.
"Since one-time codes in Authenticator were only stored on a single device, a loss of that device meant that users lost their ability to sign in to any service on which they'd set up 2FA using Authenticator."
With yesterday's Google Authenticator update, users will be prompted to log in to their Google account when they open the new version of the app and synchronize their 2FA codes with their Google account.
Google has set a requirement that 2-step verification must be activated on the Google Account for cloud backups to work, as it reduces the likelihood of unauthorized access.
The new Authenticator app update is currently available on the Apple iOS store but appears to be gradually rolling out to Android users. Therefore, be patient if you do not see the Google Authenticator version 6.0 available for Android yet, which includes the new features.
For more details about performing OTP backups, account synchronization, and migration, check out Google's step-by-step instructions.
Comments
aduwing - 1 year ago
About damn time Google.
fromFirefoxToVivaldi - 1 year ago
Amazing news.
This was keeping me from using authenticator apps. Without cloud backups, while as the article states
"Using an authentication app is a safer alternative to SMS and email-based 2FA because those can be compromised by hackers or ported by SIM swap actors, making it easier to bypass 2FA verification and hijack accounts."
authenticator apps without cloud backups can be compromised by sitting on the device or dropping it on the floor, which is much more likely than falling victim to a targeted attack.
XSp - 1 year ago
Question for people in the security community - is this a pro or a con for security?
I mean, the pro is pretty clear and something I'd actually want - a way to synchronize ToTP tokens through multiple devices and have it backed up somehow in a home server perhaps?
But doing it via the cloud opens up for all sorts of potential attacks and vulnerabilities.
Of course, Google isn't stupid in matters like that, so I imagine they are putting some extra layers to protect the... I dunno how to call it - the secret to make the time based calculation.
I'm currently using Aegis on an Android phone, but with my home server project going forwards, I'm currently thinking of moving to self hosted Vaultwarden and perhaps using the ToTP feature there.
I understand the cons in matters of putting all your eggs in one basket... but if I'm going to put ToTP into the cloud, I'd rather it be owned by myself rather than Google I guess.
fxn999 - 1 year ago
It's about time! Until now, Google Authenticator has had no features to speak of.
My opinion about whether it's a pro or con (but I'm not a member of the security community) is that it's probably a bit of both.
Con - of course, this is Google storing yet more data about you, but if you're already using Android and have associated it with a Google account, Google's already doing this. If you don't want it to have this data as well, don't use this authenticator.
Pro - definitely a step forward, but needs more. For example, being able to configure App Lock, and having one's own choice of backup storage to export the data to.
TsofT - 11 months ago
You're going to protect your cloud account with... keys in your cloud account?
It has always been possible to get and store the secret 2FA key separately when it's generated.
Google was right not to implement this before.