Comment by andyjohnson0
4 months ago
> You can't revert, they keys are sent, they have them. They can't un have them. You'll need to rotate your MFA.
Not true. See https://news.ycombinator.com/item?id=42471459
4 months ago
> You can't revert, they keys are sent, they have them. They can't un have them. You'll need to rotate your MFA.
Not true. See https://news.ycombinator.com/item?id=42471459
You've missed the point entirely. The point is not that you can't recover the codes. The point is that if you are concerned about uploading codes due to the security implications (which most people on here are) then you need to do more than just disabling uploading, you also have to go rotate all the secrets that were uploaded.
I understood the point, thanks. But I'm concerned about the scenario in the article, where someone did a device recovery and got access to the cloud synced auth codes.
I don't particularly like that my codes were apparently synced to Google's cloud without my being aware, or the ux that prevented me from noticing. But I'm pretty confident that, having disabled the cloud sync, Google no longer has my codes
(And in fact I verified this by installing the authenticator on a tablet before turning off sync on my phone. The codes vanished from the tablet.)
In principle, yes I should rotate all the secrets. Because google may have borked their data retention, or is just outright lying and keeping my secrets. In practice, though, for my personal account, I'm content that nothing has been compromised.
> But I'm pretty confident that, having disabled the cloud sync, Google no longer has my codes
Based on just your intuition. Since you don't have access to the backend specs or code, assuming this isn't a responsible security practice. It is a shortcut you can choose to take personally but should never take with any professional credentials.
I'm going to point out that you responded "Not true." instead of adding a caveat about how you personally choose to ignore security best practices for personal accounts.
1 reply →