Comment by from-nibly
4 months ago
You can't revert, they keys are sent, they have them. They can't un have them. You'll need to rotate your MFA.
4 months ago
You can't revert, they keys are sent, they have them. They can't un have them. You'll need to rotate your MFA.
> You can't revert, they keys are sent, they have them. They can't un have them. You'll need to rotate your MFA.
Not true. See https://news.ycombinator.com/item?id=42471459
You've missed the point entirely. The point is not that you can't recover the codes. The point is that if you are concerned about uploading codes due to the security implications (which most people on here are) then you need to do more than just disabling uploading, you also have to go rotate all the secrets that were uploaded.
I understood the point, thanks. But I'm concerned about the scenario in the article, where someone did a device recovery and got access to the cloud synced auth codes.
I don't particularly like that my codes were apparently synced to Google's cloud without my being aware, or the ux that prevented me from noticing. But I'm pretty confident that, having disabled the cloud sync, Google no longer has my codes
(And in fact I verified this by installing the authenticator on a tablet before turning off sync on my phone. The codes vanished from the tablet.)
In principle, yes I should rotate all the secrets. Because google may have borked their data retention, or is just outright lying and keeping my secrets. In practice, though, for my personal account, I'm content that nothing has been compromised.
2 replies →