Comment by morshu9001
8 hours ago
Google Authenticator used to be disconnected from reality like this. Users were asking how to copy the codes to another phone, and they said "you can't, WAI, should add the other phone as a second auth method on every site." Like how people say you shouldn't copy SSH privkeys. I figured out an undocumented way to do it on iPhone by taking an encrypted iTunes backup though.
Eventually they yielded on this, but their later updates had other usability traps. Because Google Auth was the household name for TOTP apps, this maybe ruined TOTP's reputation early-on.
On the security versus convenience spectrum, allowing a user backup and taking an automatic corporate backup are far apart.
Yes you should do the former. That doesn't say much about the latter.
Except nobody wants to allow users to make backups themselves.
Or maybe I missed something, and there is actually a way to download your phone backup from Google, or PC backup from Microsoft, as actual files you can browse, without having to have a sacrificial device to wipe and restore from backup?
> should add the other phone as a second auth method on every site.
That's the problem right there. Migrating my phone recently (without having broken/bricked the previous one, which is somehow even worse wrt. transferring 2FA these days than getting new phone after old one breaks!), I discovered that most sites I used did not allow more than one authenticator app. If I try to add new phone as second-factor auth method, the website deletes the entry for the old phone.