Tell HN: 2FA code for Google account gone after Google Authenticator update
After recent update, where Google added accounts support to yet another of their apps, I am no longer getting 2FA code for my Google Account. Only dashes are displayed and clicking on it shows very terse error message: "Could not generate code for this account. Try removing it from Authenticator and setting it up...". Of course I opted out of using account in Authenticator, as my phone is connected to different Google account. So without any initial warning I am "locked out" of my Google account. Sure, I still can do whole dance with backup codes, SMS verification or "other options", but such breaking behaviour should not be happening in application of this high importance. And especially during holidays. Good job everyone.
Good job indeed.Started happening some time in Novenber, and they merrily keep rolling out this buggy Google Authenticator update after people reported the lock-out behaviour you encountered. Apart from corrupting the TOTP seeds for some users, this update also introduced the splendid new feature of backing up those secrets in, of all places, the Google cloud, opening up new vistas for hackers to take over your Google account completely. Which apart from being a rather catastrophic issue in general for many people is a very good starting point for emptying your online bank or crypto exchange account: https://news.ycombinator.com/item?id=42450221 So farewell, Google Authenticator, won't miss you.
yea fuck those things
learned it the hard way, now my totp secrets are always copied into a google sheet so i can use any totp client.
I use a yubico key which holds all my Google Auth 2FA secrets. A yubico app generates the 2FA codes. I also have a hardcopy of all secrets. An additional advantage is that the yubico key is protected with a PIN code. Works great for me.
I realize it's not for everyone but since this is HN, I breath a sigh of relief using this tool exclusively in Termux / PC shell instead of an app that stores the secrets in an obfuscated/proprietary/inaccessible manner: https://github.com/gopasspw/gopass/blob/master/docs/features...
I was super annoyed when they added accounts to Authenticator and one misclicked pop-up sent my 2FA codes to the cloud. The moment I saw this new feature I knew something like what happened to OP would happen.
On the bright side I keep a copy of everything in a Yubikey as well.
Don't trust one singular monolithic entity with absolutely everything and you'll see fewer problems.
for this reason i've moved away from google docs but still, if you ever loose access to gmail, you'll loose all your account verifications that go through that email. Sure, you could use another email provider but they also have their issues as well.
Is there any solution to that?
For accounts I really care about, I use my own domain. Granted it costs money, and is temporary only as long as I pay, but the “ownership” is a bit better defined by law from what I understand than most email accounts.