Turning on two-factor authentication is one of the best ways to keep hackers from getting into your online accounts. The security measure, which is often called two-factor authentication (2FA) or multifactor authentication, needs you to enter a number code along with your username and password. So even if someone gets your password, they can’t get into your account without your sign-in code.
Security experts have been recommending for years that these codes be made with identification apps. Scan the QR code for the service you want to use two-factor authentication for, and the app will give you a new log-in code about every 30 seconds. This week, Google updated its two-factor authentication app, Google Authenticator.
Google redesigned Authenticator to make it less cumbersome and added a feature that could be useful: you can now sync your sign-in codes to your Google account and to different phones and computers.
This means that your 2FA codes for Instagram, Gmail, Reddit, and any other accounts where you have it turned on will be saved. The change makes it much easier to switch devices if you lose or steal your phone with 2FA codes on it. It could even keep you from being locked out of some accounts completely.
“Since Authenticator’s one-time codes were only stored on a single device if a user lost that device, they couldn’t sign in to any service where they’d set up two-factor authentication with Authenticator,” Google’s group product manager Christiaan Brand wrote in a blog post announcing the change.
Since the Authenticator app came out in 2010, Brand says the sync tool has been one of the most asked for. “Because of this change, users are safer from getting locked out, and services can count on users keeping access. This makes things easier and safer.”
Your Google account is now used to sync your Google Authenticator codes. This function is available on the latest versions of Google’s app for iOS and Android. You can use Authenticator with your Google login.
If you do this, your Google profile will appear in the top right part of the app next to a sync icon. After setting up sync on my phone, I got Authenticator on my iPad. Once I logged in, the codes showed up. You can also keep using Google Authenticator even if you don’t have a Google account.
Jake Moore, a global security advisor at the security company ESET, says he has been locked out of an authenticator app before and knows how frustrating it is to try to log back into all your accounts when you don’t have your sign-in codes.
“Cloud storage has made it easier to upgrade a phone over the years, but authenticating apps have been slow to join the party and have been cautious about security,” says Moore.
Google isn’t the only company that gives out 2FA sign-in codes as a backup. Since 2019, people who use the Microsoft Authenticator app have been able to use a “backup and restore” tool. Some third-party apps, like Authy, also work on multiple devices. (Apple’s all-in-one password manager lets you create and store sign-in codes on iPhones and Macs, but it doesn’t have a separate app.)
Google’s Brand makes 2FA code backups sound like a good thing for users, but Moore says there are always tradeoffs to make when trying to balance user security and ease.
Sure, if you back up your codes, it might be easier to get into your accounts if you lose or have your phone taken. But the more places you store your codes, the more likely it is that someone bad can get to them.
For example, if someone gets into your Google account, they might also be able to get into your two-factor authentication codes for your other online accounts.
Kimberly Samra, a Google spokeswoman, says, “That risk is much smaller than the risk that you lose your device and don’t have your OTPs. If that happens, the service will have to use a much weaker way to let you log in.”
Tommy Mysk is an app developer and security researcher who runs the software company Mysk. He has tried many 2FA apps and found that some of them can be downloaded even though they are not safe. Mysk says that the big 2FA apps have some security and privacy flaws.
For example, Microsoft’s sync doesn’t work between iOS and Android devices, which makes it harder to switch operating systems and keep your 2FA codes.
Mysk says that Google’s Authenticator works “very well” and doesn’t send any information about QR codes to Google. “Most apps, including Microsoft Authenticator, send behavioral analytics—that is, how users use the apps and where they tap,” says Mysk. “This kind of information isn’t sent by Google Authenticator.”
Even though Google and Microsoft’s authentication apps make things easier, it doesn’t look like they back up 2FA sign-in codes with end-to-end security when they are synced. The way of encryption makes sure that the companies can’t see what your sign-in codes are.
“Since 2FA apps deal with secrets, end-to-end encryption is the only safe way to sync data across devices,” says Mysk. “The person who made the app shouldn’t be able to see what the data says.”
Read More:
Xiaomi 13 Ultra is the Latest Phone from The Company, and It Costs a Lot to Fix.
Samsung Just Put Out A Photo-Editing App for The Galaxy S23 that Uses AI.
Protect Your Wireless Printer: Tips, Tricks, and Tools You Need to Know in 2023!