How Google Authenticator gave attackers one company’s keys to the kingdom
Google's app for generating MFA codes syncs to user accounts by default. Who knew?
I was wondering why the university I'm attending uses a non-Google/non-Microsoft authenticator.
@Hawkmoon @arstechnica Hopefully they are using an #opensource alternative; those don't have a perverse incentive to tie the app to an account managed by a member of #GAFAM
There are several such options; #FreeOTP is my favorite https://freeotp.github.io/
@arstechnica so this is more about the Google Authenticator specific synching mechanism as a #security risk than any inherent #TOTP problem.
I get why there's a reference to #FIDO2, but I'd much rather use #SQRL than something that locks users to a specific, (probably) untrustworthy, provider.
@arstechnica it sure as hell didnt used to! ive lost like two discord accounts to that fact
@azuravt @arstechnica yep, I've just looked up the post where I saw this feature first, it was in April: https://defcon.social/@mysk/110262313275622023
That's when I switched to #Aegis. You can make offline backups with it.
@arstechnica Alternatives?
@cg12 @arstechnica There are quite a few out there, I use this one:
Aegis Authenticator (Free, secure and open source 2FA app to manage tokens for your online services)
https://f-droid.org/packages/com.beemdevelopment.aegis/
@cg12 @arstechnica alternative is to use Authenticator not attached to an account
@arstechnica
Gotta put a plug in for Yubico authenticator with Yubikeys.
Secrets are write-only stored on the yubikey, not on the phone, thus not synced anywhere.
And you can use them as usb tokens directly too.
Just a satisfied customer...