← Back to context

Comment by eadmund

4 months ago

It’s possible to synchronise secrets without sharing them with a third party: just encrypt them locally, transmit to third party, download to other device, decrypt.

This could be made easy for users by having each device share a public key with the third party (Google, in this case), then the authenticator app on one device could encrypt secrets for the other devices.

This would be vulnerable to Google lying about what a device’s public key is, of course, but enduring malice is less likely (and potentially more detectable) than one-time misbehaviour.

2 comments

eadmund

Reply
michaelt  4 months ago

> It’s possible to synchronise secrets without sharing them with a third party

Sadly the problem Google is actually trying to solve is providing security for the dumbest people you've ever met. Dumbasses are entitled to security too!

I'm talking people who've lost access to their e-mail, and their phone number, and their 2FA all at once. Then they've also forgotten their password.

No password manager, no backup phone, no yubikeys, no printed codes, no recovery contacts, nothing.

  • rawgabbit  4 months ago

    You're describing the majority of my extended family. Some of whom are well educated and tech illiterate.