What is Reddit's opinion of Google Authenticator?

From 3.5 billion Reddit comments

>I accidentally sent my app. in through your email

Put two factor authentication on all your accounts right now if you don't have this active!

https://support.google.com/accounts/answer/1066447?hl=en&co=GENIE.Platform%3DAndroid

You know that Google Authenticator can export your 2FA codes?

I mean you have already pointed it out.

So why this post? I mean.. you need to do the backup manually for the other apps too.

https://support.google.com/accounts/answer/1066447?co=GENIE.Platform%3DAndroid&hl=en

​

​

>In the Authenticator app, tap More More and then Transfer accounts and then Export accounts.
>
>Select which accounts you want to transfer to your new phone, and then tap Next.
>
>If you transfer multiple accounts, your old phone may create more than one QR code.

I think I need to warn people that what is being suggested here is, in general, bad security advice and represents a mis-implementation of the Google Two Step Verification API. Once a batch of devices is verified as properly installed on an issued Secret, it should no longer be valid or useful in any way!

To require someone to keep an established Secret in order to add new devices... and this shouldn't be a shocker... allows people to steal said secret and potentially remove the ability for your device to generate valid codes, while adding that ability to a device that they control.

For new phone/lost phone issues, the proper implementation of a system that could let you keep playing while Carbine deals with your ticket would be a Backup Code system, as you can easily revoke those at any time if there is a security threat. So while Carbine is working through the queue to get to your lost/new phone issue, you can continue to play.

Is correct and secure implementation of the system more work for Carbine? Yes, initially. But once they automate it, this shouldn't be any more overhead than anything else.

Even the above suggested system is considered fairly weak in the context of the 2 Factor setup for the game (validating for a week at a time, etc.) But at least it's within the parameters and the spirit of a Goggle 2 Factor implementation.

No, they openly tell people what they use. In fact, you, the customer, HAVE to know what they use in order to tell your software how to authenticate.

As an example, Google straight up tells you which algorithm they use (the part that say time based). Time-based means they use TOTP. You have to know what Google is using in order to know what options to pick on your OTP app.

The idea is that even if an attacker knows the algorithm AND knows your password they still cannot access your account without (in this Google example) that specific code that gets generated on your phone. And it comes with a time limit. So even if they had the ability to obtain your password, knows the algorithm, AND can steal your cellphone... They still have to be able to unlock your cellphone. And finally... Each code is only available for (I think) 30 seconds. So even if they managed to do everything and somehow obtain one of your codes, it is most likely no longer valid.

This is called 2 factor authentication and I highly recommend you enable it everywhere you can.

> You need:

Your old Android phone with Google Authenticator codes The latest version of the Google Authenticator app installed on your old phone Your new phone On your new phone, install the Google Authenticator app. In the app, tap Get Started. At the bottom, tap Import existing accounts?. On your old phone, create a QR code: In the Authenticator app, tap More More and then Transfer accounts and then Export accounts. Select which accounts you want to transfer to your new phone, and then tap Next. If you transfer multiple accounts, your old phone may create more than one QR code. On your new phone, tap Scan QR code. After you scan your QR codes, you get a confirmation that your Google Authenticator accounts have been transferred. Tip: If your camera can’t scan the QR code, it may be that there’s too much info. Try to export again with fewer accounts.

Here's a link.

Sounds like you have 2-Factor authentication turned on.

You can either turn it off there: https://myaccount.google.com/security#signin

Or if you want to keep your account well secured with 2 factor authentication, you can install the authenticator app https://support.google.com/accounts/answer/1066447?hl=en which can give you a code without going online.

With your google account signed in, go here to check what devices have connected in your name. If you see any you don't recognize, then you might have a problem.

Also, depending on where in CT you are, you might be being routed through your ISP or phone company to Boston to get to the outside world. More likely in Windham county than in Fairfield county - I grew up in CT.

If you have any concerns, turn on 2-Step Verification, including using Google Authenticator versus just using text messages.

After you get that set up, log out off all your google accounts on your computers, clear the browser caches, cookies, and histories, and then log in to google again. Approve each device with the Authenticator on your phone.

From the looks of it you are using gmail. Because of this, I would recommend that you get 2 step verification. It is similar to a blizzard authenticator and it does good work.

EDIT: Thought I would link you the official guide by Google: https://support.google.com/accounts/answer/1066447?hl=en

I use both depending on what the site offers.

On Coinbase for example I use Authy, but on the vast majority of sites (Cryptocoin related and email) I use the official Google Authenticator.

Here is the code for the Google Authenticator app, and here is where you can download it for your Android device. Also works for iPhone/iPad/iPod and Blackberry devices.

Install instructions for Google Authenticator.

Either provide a great layer of security that would benefit your users.

1. Directions.

2. Hold the space bar down.

3. Enable Reachability > pull down on the bar at the bottom of the display.

4. This might help.

Ma gmail est derrière une double authentification/google authentificator avec un pwd différents du reste, et une adresse mail de récupération derière... ça limite quand même les dégâts.

Vaux mieux une validation par mail qu'absolument rien comme c'est par défaut sur Amazon.

Here's a list of websites and services that offer/don't offer 2FA (two factor authentication) and what variety of authentication they support: https://twofactorauth.org/

At the very least I recommend you enable it on your primary email (if it supports it). As for what variation to use, I recommend the 'software token' which uses Google Authenticator to generate the random code: https://support.google.com/accounts/answer/1066447?hl=en

https://www.bankofamerica.com/privacy/faq/safepass-faq.go

Boa that I use will send a code with a text message to my phone before I can do anything major "more than pay a bill"

https://support.google.com/accounts/answer/1066447?hl=en

Google dose it with an app.

> That's not the issue I'm talking about. I can't use two factor authentication cause I don't have service in some classrooms,

Google Authenticator app OR even better is Security Key, both work offline anywhere in the world.

>and what does it matter anyway if my password is safe?

Your password is not safe. Sorry. Phishing is exceptionally effective depending on how badly an attacker wants your stuff. Beyond phishing, if you use the same password everywhere, it is already gone.

>I only login on my PC, tablet and school computers which all have deep freeze.

Neat, but that doesn't help much against the most common attacks.

For Google Authenticator Follow these instruction for manual setup, choose time-based and copy the secret key into the pOTP "Key Secret" field, put a name in the "Key Name" field (GMail, or username).

One you have verified the new code works in Authenticator, remove your old code (keep new code in mobile app as backup) from the mobile app. Repeat the process for other apps you'd like to generate codes for (Dropbox and other services that use Google Authenticator). Plug all that info into pOTP then generate and download your watchface.

Edited to clarify deleting code.

I looked it up before I wrote that: https://support.google.com/accounts/answer/1066447

"To set this up, first you need to complete SMS/Voice setup"

Am I misreading something? Either way, still don't have a compatible device, so this is pretty much moot anyway.

OK, Authy for sure follows over - and I see that Google requires you to have your old phone present:
https://support.google.com/accounts/answer/1066447?hl=en&co=GENIE.Platform%3DiOS#zippy=%2Ctransfer-authenticator-codes-to-a-new-phone

I did turn 2FA off for Binance so I could disconnect my number from it and because I locked the account anyway.
Removing your banking information from it is probably the most important part there.

My phone carrier says 2FA for phones is impermeable but I have my doubts.

Boy, I would love to know which phone carrier told you this-- this is absolutely false. Not just for SMS based 2FA but any security implementation really. There is no such thing as absolute security, just more secure and less secure.

One of my concerns with Google’s 2FA is what happens when you switch phones. I hold onto an old phone because it has a 2FA on it that I don’t know how to transfer.
You just need access to both phones. Google has a guide here
https://support.google.com/accounts/answer/1066447?hl=en&co=GENIE.Platform%3DiOS#zippy=%2Ctransfer-authenticator-codes-to-a-new-phone

I don’t think I can unlock my crypto to add this since I didn’t provide them with enough verification info, but I am absolutely willing to spend $40 to protect my Gmail accounts.
Same. I use Security Keys to protect as many accounts as they support.

I’m mostly freaking out over individual stories on Reddit and Quora
You really gotta be more specific-- many of these stories are also of folks not understanding what's going on under the hood. 🙂

Google Authenticator doesn't sync your codes to the cloud. They're only stored locally - if the phone is lost or the authenticator app is uninstalled, then that's it - codes gone.
Source: just looked, there's no option to login anywhere
Another source: this google support article which details how to transfer the codes but mysteriously lacks any kind of "login to google" method.
Another source: this article which, again, fails to mention any kind of "you just need to login" transfer/backup method.

You can put Google Authenticator on multiple devices by scanning the same QR code on each device during setup.

Set up Google Authenticator on multiple devices

To generate verification codes from more than one device:

1. On the devices you want to use, verify Google Authenticator is installed.

2. In your Google [Account, go to the 2-Step Verification section

3. If you already set up Google Authenticator for your account, remove that account from Authenticator. Before you remove that account from Authenticator, make sure you have a backup.

   1. To set up 2-Step Verification for the Authenticator app, follow the steps on screen. Use the same QR code or secret key on each of your devices.

4. To make sure it works correctly, confirm the verification codes on each device are the same.

Use Google Authenticator with multiple accounts or devices](https://support.google.com/accounts/answer/1066447?hl=en#zippy=%2Cset-up-google-authenticator-on-multiple-devices)

I believe the only universal way to transfer 2FA tokens is to set it up on second device. For example, Google Authenticator can be set up on multiple devices. Once it's on a second device, remove the authenticator from the device to be wiped, reset thst first device you just removed the authenticator from, then re-add the authenticator after the reset is complete. You can either leave the backup on the other device, to wipe that one if you don't want it to continue to generate 2FA codes

Alternatively, if you're using something other that Google Authenticator, that lacks a way to set it up on multiple devices simultaneously, you need to remove the 2FA from every account that uses this 2FA service, and then re-enabling it after the reset. You might be able to use the one-time-use recovery codes some amounts generate, or can be made to generate, when you enable 2FA, but I wouldn't pin my hopes on them (nor does every account use them).

That's the thing about real security: it's often a PITA to change or reset hardware. If it were easy - like having a way to recover the info after a reset - it wouldn't be secure. If it were possible for you to retrieve the codes from online, it would be possible for someone else. If it were possible for you to retrieve the codes after a device reset, it would be possible for someone else. 2FA requires scorched earth policies, but that is what makes it so secure.

Google Authenticator

It’s a 2-step Verification app that google uses for their services. There are some other services that use it, but I forget what they are atm. Twitch, maybe?

As for why it doesn’t fit, that’s just a thing with your device, I guess. Fits fine on my screen(s).

Is it in beta? The FAQ indicates it's merely manual transfer, and it will not automatically sync new accounts added on one device to others. Sure, it's maybe the preferred security for some people, but most users will just want to set up once, then not having to worry "hey, have I transferred that new account to the backup phone and laptop?". Each of those friction will just push the general public from using TOTP, and right now we still need to entice the masses to use TOTP in the first place, those paranoid who won't use syncing TOTP apps will use TOTP anyway.

https://support.google.com/accounts/answer/1066447#transfer_authenticator_codes

I think it would be stupid for Google to not include a way to transfer to a new phone.

Also a good idea to have backup codes if you lose your phone.

I could be wrong, but I have done it once for a root account to see what would happen.

https://support.google.com/accounts/answer/1066447?co=GENIE.Platform%3DAndroid&hl=en

Here is the google support, look under “multiple devices”.

No information about it on google support pages: https://support.google.com/accounts/answer/1066447?hl=en&ref_topic=2954345&co=GENIE.Platform%3DiOS&oco=0

​

I could not find it under gmail settings either. Any help? I have an assumption thát google wants the user to go with other recovery options like secondary mail or mobile number.

No information about it on google support pages: https://support.google.com/accounts/answer/1066447?hl=en&ref_topic=2954345&co=GENIE.Platform%3DiOS&oco=0

​

I could not find it under gmail settings either. Any help? I have an assumption thát google wants the user to go with other recovery options like secondary mail or mobile number.

crucial to keep your wallet safe. ERC 20 wallets, which are compatible with the NOIZ wallet, often use Two-Factor Authentication. After you log in with your password, there is a secondary method of authentication such as an SMS, email or Google Authenticator verification.

Deactivate Google Auth first, then when you register Google Auth again, use the QR code given to set up Google Auth on all the devices you want

https://support.google.com/accounts/answer/1066447?co=GENIE.Platform%3DAndroid&hl=en

ik heb alle stappen gevolgd wat ik op het net kon vinden.

https://support.google.com/accounts/answer/1066447?hl=nl

Volgens deze weg zou ik op GA door op het + teken te duwen, de optie tijdsgebonden moeten krijgen. Ik zou ergens in de app GA ook mijn account kunnen instellen, maar dat vind ik nergens terug. Als ik op + duw krijg ik enkel de opties streepjescode scannen en handmatige invoer. Verder vind ik nog feedback verzenden, servicevoorwaarden, privaacybeleid en juridische blabla

The authenticator is a means of enabling 2-factor authentication.

https://support.google.com/accounts/answer/1066447?hl=en

So I enter the local password but then also have to enter the unique 6 digit time-based code in order to fully log in.

EDIT: I should mention that ths doesnt use the google password to log in.

I went through that list looking for any, and all my emails with Ctrl+F and nothing popped up. Also tried looking for my girlfriends, both my brothers accounts and nothing is there.

I'd be willing to bet this list may be fake. Regardless, I'd change your passwords anyways and set up secondary authorization where you can (Google Authenticator, for example).

If you really care about your accounts/information, supply as little on the internet as you can, change passwords frequently and store them in SAFE places. Also, use different passwords for most of your accounts. You'd hate to have one discovered only to have the rest fall shortly thereafter.

You don't need an internet connection for 2-step. https://support.google.com/accounts/answer/1066447?hl=en

Pick up a cheap phone like the Verizon moto G for $50.

http://www.amazon.com/Moto-Verizon-Prepaid-Phone-Only/dp/B00HPP3QD6/ref=sr_1_7?ie=UTF8&qid=1403010534&sr=8-7&keywords=moto+G

Google's 2FA app does not have a built in QR code scanner, I assume this is also true for bitcoin apps, see here

>If the Authenticator app cannot locate a barcode scanner app on your phone, you might be prompted to download and install one.