Comment by acdha
4 months ago
It is at least relatively new. Years ago I had to try the Google “hard landing” account recovery process because it wasn’t happening, which is how I learned that they had that form going to an email address which had been deleted. Fortunately I had paper recovery codes in my safe.
Google rolled out that hare-brained "improvement" in an update to Google Authenticator a few months ago, with the nice extra that for some users, when you dared unselecting the new cloud backup checkbox, the secrets stored in the app were instantly corrupted in some way, so you were locked out of your Google accounts immediately as a bonus <chef's kiss>. Happened to a family member, luckily they had a working emergency access method. We will never use Google Authenticator again.
Recommended alternative: 2FAS (https://play.google.com/store/apps/details?id=com.twofasapp) which allows you to import the secrets from Google Authenticator via QR codes, and has a local backup feature (e.g. to a USB drive).
As a side question: How do I, as a novice, vet a 2FA?
This has all the "looks nice", but I have no reason to trust this recommendation over any other social engineering.
My first impulse after ruling out Google Authenticator was to simply switch to Microsoft's Authenticator app (which I already had to use for a work-related thing anyway), thinking "of course MS would not make the same stupid mistake". Turns out they would, and they did. So alternatives from smaller vendors were the only option. In evaluating them, I focused on popular open-source solutions that had the features I deemed important (notably, local backup), and looked into the history, provenance and reputation of their vendors. Nevertheless, some risk will always remain.
I was one of the fools who installed the iOS 7 beta onto a phone that I depended on with Google Authenticator. The app had a compatibility issue with that beta release that caused it to disappear all my 2FA seeds except, very fortunately, for my Gmail. There was a bit of a ruckus about this here https://news.ycombinator.com/item?id=6112077.
Since then, I always use at least two 2FA apps at the same time.
I used andOTP for years, until the author stopped working on it. While it still likely works fine, I've switched to Stratum, which likewise supports import from the Google Authenticator export QR codes as well as from andOTP, authy, and others.
Ugh, yeah, that update.
You didn't have to do anything, either, the update just instantly corrupted some 2FAs. How can an app not do a TOTP? It's literally just math.
I had to recover a few MFAs from backup codes due to that.