5 upvotes, 1 direct replies (showing 1)
View submission: How to keep your Reddit account safe
Google Authenticator stores information locally on the device and is not cloud synced.at the end of the day Google's two-factor authentication is only a key generation based on a locally stored seed that a generator references, and they are other applications such as LastPass Authenticator for one that allow you to sync your two-factor authentication seeds with their service.
I recently had to move my seeds from my Nexus 6 on Google Authenticator which was fortunately rootable and so I was able to actually use an SQLite reader to pull the keys from the database directly in a secure manner. I can honestly say that I was a much easier process than having to deactivate 2FA and then reactivate it for each service I use, but you have to be careful.
Comment by boxsterguy at 06/05/2019 at 22:03 UTC
5 upvotes, 1 direct replies
I can honestly say that I was a much easier process than having to deactivate 2FA and then reactivate it for each service I use, but you have to be careful.
I wish authenticator makers would figure this out. There should be a way to securely backup and move authenticator settings without having to root (I like Samsung Pay, and I don't want to break Knox by rooting). When I upgraded my phone last month, it was seriously a 3-day process to get all of my 2FA accounts moved over. That sounds worse than it really should have been, mostly because my bank sucks^(1), but it was still a good 2-3 hour process moving over ~95% of the accounts, with a couple outliers that took days.
Yeah, it was painful to do, but I'll still do it because authenticator-based 2FA is far superior to SMS or email-based 2FA.
^(1) My bank uses Entrust for 2FA rather than a normal TOTP authenticator. Normally this would be fine, except their "new soft key" workflow looks something like this:
1. Click the button to create a new softkey
2. Give the key a new name, which will generate a serial and activation code
3. Put the serial number and activation code into the Entrust app
4. Authenticate your current session with your ***EXISTING*** hard or soft key (remember, this is a "move 2FA" scenario, so it assumes you already have 2FA set up -- you won't see this path in a new 2FA scenario)
5. Done
Well, literally every other 2FA setup on the planet has for step 4, "Provide a token from your newly configured device to confirm it's working correctly." After trying and failing (and locking my account 2 different times) and calling support and not getting any help, I finally actually read in detail what was being asked for in step 4, provided my old key from my old phone, and everything worked. But it took 3 days to get to that point, because their UI sucked. If they had only done step 4 first, none of it would've been a problem.