Comment by morshu9001
14 days ago
Google Authenticator used to be disconnected from reality like this. Users were asking how to copy the codes to another phone, and they said "you can't, WAI, should add the other phone as a second auth method on every site." Like how people say you shouldn't copy SSH privkeys. I figured out an undocumented way to do it on iPhone by taking an encrypted iTunes backup though.
Eventually they yielded on this, but their later updates had other usability traps. Because Google Auth was the household name for TOTP apps, this maybe ruined TOTP's reputation early-on.
On the security versus convenience spectrum, allowing a user backup and taking an automatic corporate backup are far apart.
Yes you should do the former. That doesn't say much about the latter.
Well they also had the whole backup vs no backup debate. Eventually they added backup to Google account, but it was confusing at times whether or not you actually had a backup.
Except nobody wants to allow users to make backups themselves.
Or maybe I missed something, and there is actually a way to download your phone backup from Google, or PC backup from Microsoft, as actual files you can browse, without having to have a sacrificial device to wipe and restore from backup?
iPhone backups can be local at least. But the one time I used iCloud, I had to sacrifice a device just to load from backup.
> should add the other phone as a second auth method on every site.
That's the problem right there. Migrating my phone recently (without having broken/bricked the previous one, which is somehow even worse wrt. transferring 2FA these days than getting new phone after old one breaks!), I discovered that most sites I used did not allow more than one authenticator app. If I try to add new phone as second-factor auth method, the website deletes the entry for the old phone.