Comment by karel-3d
4 months ago
They added this recently, because lots of people complained to Google that they lose their tokens; Authy and others started to gain traction because they did synchronization. Google was pretty much forced.
I know, 2FA loses the entire point when it's synchronized. But, well. People lose their stuff all the time!
I've had customers tell me that they cannot use email verification to meet a 2FA compliance requirement because it's not a second factor, but somehow SMS is. I always push back with "why not just good old TOTP" and the answer is that it's too easy for a customer to lose because it is only on their device. Like yeah... that's what makes it a real second factor.
It’s possible to synchronise secrets without sharing them with a third party: just encrypt them locally, transmit to third party, download to other device, decrypt.
This could be made easy for users by having each device share a public key with the third party (Google, in this case), then the authenticator app on one device could encrypt secrets for the other devices.
This would be vulnerable to Google lying about what a device’s public key is, of course, but enduring malice is less likely (and potentially more detectable) than one-time misbehaviour.
> It’s possible to synchronise secrets without sharing them with a third party
Sadly the problem Google is actually trying to solve is providing security for the dumbest people you've ever met. Dumbasses are entitled to security too!
I'm talking people who've lost access to their e-mail, and their phone number, and their 2FA all at once. Then they've also forgotten their password.
No password manager, no backup phone, no yubikeys, no printed codes, no recovery contacts, nothing.
You're describing the majority of my extended family. Some of whom are well educated and tech illiterate.