The other alternative is using Authy which will allow you to sync your codes across multiple devices including a desktop. Using the TOTP feature and Yubikey requires their "premium" paid service, but it's extremely affordable ($10/year for an individual, $40/year for a family of up to 6 users which also includes password sharing). This is secure as long as you keep your account secure (strong password and MFA, I use a Yubikey for MFA). It's handy because the MFA code lives with the password. You can put the TOTP code in when you save the password to the service and it will generate for you on the fly. But I consider that a failing on me for losing those, not necessarily with Google.
So yeah, it's frustrating, and I once went through some considerable pain trying to recover something from Google Auth where I had lost the recovery codes. As opposed to something like Authy with syncing where you could recover the account meaning that now two devices can generate your 2FA codes (old and new) and if you do things in the wrong order you may be syncing a new 2FA seed onto your old device. So I think (playing devil's advocate a little) this is actually OK in the sense that it encourages that hygiene. In which case, good hygiene should require you to rotate all of your 2FA tokens and reset any super-critical passwords (for example for your primary email account) and so on. Because the other thing that could lead to you needing to "recover" an account would be losing your phone and it being in someone else's hands. I think in this specific circumstance, it's fair. Yeah in typical Google Fashion they release ana pp, that's a bit half-baked and then kinda give up developing it. I'm sure I'm overlooking something really basic. I figure if anyone knows the answer, it'll be this sub.
Its being tied to the phone OS makes it not really a distinct authentication entity like a hardware token, so separating it from desktop seems pointless to me. I don't want to have to keep a spare phone with my auth app on it in case my phone breaks for the 1000th time and has to be replaced again. I'd just go with an RSA token for everything, but so many sites take Google Authenticator only. So why aren't they doing it? And furthermore, why do you have to scan a QR code or jump through a ton of hoops to get a recovery phrase by claiming you can't scan it?
Many would even pay a small fee to use it, vs. The app is widely used, so the investment in a desktop app would certainly not go to waste. Google is all over phones anyway, so there can't be that much gained from having app presence on phones to collect data.
0 kommentar(er)
