← Back to context

Comment by aja12

22 days ago

>Most TOTP apps support backups/restores, which defeats this.

Citation needed? Yubico authenticator doesn't (the secure enclave is the Yubikey). I'd be very surprised if MS Authenticator and Authy (which I don't use but are the most popular apps that I know of) support such backups

2 comments

aja12

Reply
Rubberducky1324  22 days ago

> Citation needed? Yubico authenticator doesn't (the secure enclave is the Yubikey). I'd be very surprised if MS Authenticator and Authy (which I don't use but are the most popular apps that I know of) support such backups

Google Authenticator has an export option that I've used in the past, so that one does it for sure. Authy allows cloud-based synchronization in any case, so exporting seems quite possible. MS Authenticator also allow cloud sync, so probably exporting is not difficult.

  • aja12  22 days ago

    > cloud-based synchronization

    Well I don't disagree that it might be possible to abuse cloud sync in some way to export the secrets, but it's not quite as egregious as just including the secrets by default in an app backup

    Not perfect, but (imho) still better than SMS 2FA, mail 2FA, or lack of 2FA